Snort mailing list archives
Re: Matching http_cookie content
From: Stephen Reese via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 3 Apr 2024 08:25:55 -0400
On Fri, May 12, 2023 at 10:29 AM Alex Tatistcheff <alext () pobox com> wrote:
I would first simplify the Talos rule until you get it to alert. Then add keywords back in until you find the culprit. Unless you've done this you dont know what part of the rule is not matching.
Thanks, I do not have an issue generating requests using the Scapy or sockets library for most rules, it's a handful of rules related to http_cookie and http_client_body that are troublesome. The pattern I see in the rules I am unable to trigger is related to rules having a content option defined twice whereas other rules only have the content option once.
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Re: Matching http_cookie content Stephen Reese via Snort-sigs (Apr 04)
- Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 04)
- Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 07)
- Re: Matching http_cookie content Stephen Reese via Snort-sigs (Apr 10)
- Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 10)
- Re: Matching http_cookie content Joel Esler via Snort-sigs (Apr 10)
- Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 07)
- Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 04)