Re: Problem with http_header content modifier

[waldo kitty <wkitty42 () windstream net>]

On 07/10/2015 11:41 AM, Frederico Araujo wrote:
> Hi,
>
> Snort is not firing alerts when I use the http modifier http_header. I have a
> very simple test rule that matches on a string that I set on a HTTP request
> header, and the alert only fires if I remove http_header from the rule.

does it work if you use http_raw_header instead?

what does a packet capture of that packet look like?

lastly, i see you are using $EXTERNAL_NET and $HOME_NET and your snort is on a 
NATed VM...

is your snort looking at the raw unNATed data on the outside interface of your VM?

perhaps your $EXTERNAL_NET doesn't encompass the IP you are testing from?

what are the contents of your $EXTERNAL_NET and $HOME_NET along with your 
testing IP and your snort's IP?


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!