Snort mailing list archives

Re: http_header

From: Mike Messick <mikem () tridigitalenterprises com>
Date: Fri, 15 Jan 2010 19:03:25 -0900


No - but when I modify the rule to:

alert tcp any any -> any $HTTP_PORTS (msg: "HTTP traffic to microsoft.com"; content:"microsoft.com"; nocase; 
sid:3000004;)

it will fire if I type 'microsoft.com' into the search window on 
www.microsoft.com.

gahh... This feels obvious, but I'm just not seeing it yet.

-Mike.


evilghost () packetmail net wrote:

Mike, I'm curious, does this work?

alert tcp any any -> any $HTTP_PORTS (msg: "HTTP traffic to 
www.microsoft.com"; content:"|0d 0a|Host\: www.microsoft.com|0d 0a|"; nocase; 
sid:3000004;)

Note, I did not specify an HTTP method so there is potential to false against body content.

PS - Todd says I don't need to escape colon, I'm old school.

-evilghost





Mike Messick wrote:

Hi Folks,

I'm trying to write some rules that will alert whenever a specific http 
host is requested by a client.  For example:

alert tcp any any -> any $HTTP_PORTS (msg: "HTTP traffic to 
www.microsoft.com"; content: "www.microsoft.com"; http_header; nocase; 
sid:3000004;)

However I cannot get this rule to alert.  What am I doing wrong? 

I did notice this in the release notes for 2.8.6 Beta:
[*] New Additions
   * HTTP Inspect now splits requests into 5 components -
     Method, URI, Header (non-cookie), Cookies, Body.
     Content and PCRE rule options can now search one or more of these

I'm currently using 2.8.5.1; do I need to upgrade to 2.8.6 beta? 

Any help will be most appreciated.

Thanks,
-Mike.


------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs



------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

http_header Mike Messick (Jan 15)
- Re: http_header Rodrigo Montoro(Sp0oKeR) (Jan 15)
- Message not available
  - Re: http_header Mike Messick (Jan 15)
    - Re: http_header ** SOLVED Mike Messick (Jan 19)