Snort mailing list archives

Previous By Date Next
Previous By Thread Next

http_header issues, Snort 2.8.5.3

From: "evilghost () packetmail net" <evilghost () packetmail net>
Date: Thu, 1 Apr 2010 09:22:40 -0500
Hello, I am running Snort 2.8.5.3 and it appears that either 
http_header; is not working correctly, does not work with a relative 
keyword, or I do not understand http_header; correctly.  I am attempting 
to constrain a content match to the http_header for performance reasons.

Note, no need to recommend isdataat, I know there is data within 1024 
bytes past the previous content match.

Does NOT work:
    uricontent:"/login.php"; fast_pattern; content:"|0d 0a|Cookie\: "; 
nocase; http_header; content:"ieatbugs="; within:1024;

Does work:
    uricontent:"/login.php"; fast_pattern; content:"|0d 0a|Cookie\: "; 
nocase; content:"ieatbugs="; within:1024;

Comments/insight appreciated.

-evilghost

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: