Snort mailing list archives
Re: Using within after http_headers
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 30 Apr 2010 12:47:06 -0400
Correct. Since this is a normalized field (similar to uricontent), you can't have a relative statement to a normalized http field like that. This is as designed. On Fri, Apr 30, 2010 at 12:35 PM, Mike Cox <mike.cox52 () gmail com> wrote:
I'm testing some rules and it seems that using the within content modifier on a content match that is relative to a previous content match and uses the http_headers content modifier does not work. For example, this is the original rule that is not alerting: alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Testing Referer"; flow:established,to_server; content:"|0d 0a|Referer\: "; nocase; http_header; content:!"google.com"; nocase; within:50; classtype:bad-unknown; rev:1; sid:7500010;) But if I remove the within OR the http_header content modifiers, the rule alerts. So both these alert: alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Testing Referer"; flow:established,to_server; content:"|0d 0a|Referer\: "; nocase; content:!"google.com"; nocase; within:50; classtype:bad-unknown; rev:1; sid:7500010;) alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Testing Referer"; flow:established,to_server; content:"|0d 0a|Referer\: "; nocase; http_header; content:!"google.com"; nocase; classtype:bad-unknown; rev:1; sid:7500010;) Is there some weird stuff going on with the HTTP header buffer such that subsequent within content modifiers don't work? If so, is this as designed? Thanks. -Mike Cox ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Using within after http_headers Mike Cox (Apr 30)
- Re: Using within after http_headers Joel Esler (Apr 30)
- Re: Using within after http_headers Will Metcalf (Apr 30)
- Re: Using within after http_headers Joel Esler (Apr 30)
- Re: Using within after http_headers Will Metcalf (Apr 30)
- Re: Using within after http_headers Joel Esler (Apr 30)
- Re: Using within after http_headers Alex Kirk (May 03)
- Re: Using within after http_headers Will Metcalf (Apr 30)
- Re: Using within after http_headers Joel Esler (Apr 30)