Snort mailing list archives
Re: http_header
From: Mike Messick <mikem () tridigitalenterprises com>
Date: Fri, 15 Jan 2010 19:03:25 -0900
No - but when I modify the rule to: alert tcp any any -> any $HTTP_PORTS (msg: "HTTP traffic to microsoft.com"; content:"microsoft.com"; nocase; sid:3000004;) it will fire if I type 'microsoft.com' into the search window on www.microsoft.com. gahh... This feels obvious, but I'm just not seeing it yet. -Mike. evilghost () packetmail net wrote:
Mike, I'm curious, does this work? alert tcp any any -> any $HTTP_PORTS (msg: "HTTP traffic to www.microsoft.com"; content:"|0d 0a|Host\: www.microsoft.com|0d 0a|"; nocase; sid:3000004;) Note, I did not specify an HTTP method so there is potential to false against body content. PS - Todd says I don't need to escape colon, I'm old school. -evilghost Mike Messick wrote:Hi Folks, I'm trying to write some rules that will alert whenever a specific http host is requested by a client. For example: alert tcp any any -> any $HTTP_PORTS (msg: "HTTP traffic to www.microsoft.com"; content: "www.microsoft.com"; http_header; nocase; sid:3000004;) However I cannot get this rule to alert. What am I doing wrong? I did notice this in the release notes for 2.8.6 Beta: [*] New Additions * HTTP Inspect now splits requests into 5 components - Method, URI, Header (non-cookie), Cookies, Body. Content and PCRE rule options can now search one or more of these I'm currently using 2.8.5.1; do I need to upgrade to 2.8.6 beta? Any help will be most appreciated. Thanks, -Mike. ------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- http_header Mike Messick (Jan 15)
- Re: http_header Rodrigo Montoro(Sp0oKeR) (Jan 15)
- Message not available
- Re: http_header Mike Messick (Jan 15)
- Re: http_header ** SOLVED Mike Messick (Jan 19)
- Re: http_header Mike Messick (Jan 15)