Re: Need help with byte_test

[Joel Esler <jesler () sourcefire com>]

On Feb 12, 2013, at 1:46 AM, sandeep mlist <sandy.mlist () gmail com> wrote:

> Hi,
> I need to test if a content-length is zero. Here is the response 
> "HTTP/1.1 200 OK
> Date: Wed, 23 Jan 2013 23:44:06 GMT
> Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
> Last-Modified: Wed, 23 Jan 2013 23:39:47 GMT
> ETag: "0-4d3fd35aaeb66"
> Accept-Ranges: bytes
> Content-Length: 0"
>
> I am checking for "content:"|0a|content-length:" and i need to test if length is zero using byte_test. Please help me.

If you aren't testing a complex value, just use a content match "content:"Content-Length|3a 20|0|0d 0a|"; http_header

But if you insist

content:"Content-Length|3a 20|"; byte_test:1,=,0,0,relative;


------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!