Rules across tcp headers & http headers/payload

[Andy Richards <andy.richards.iit () gmail com>]

Hi,

Im new to snort and a trying to evaluate if i can write a custom snort rule which can filter/match across top headers 
and http headers/payload. 

I understand that the Stream5 pre processor is probably the way I need to go however from the documentation I can't 
fathom out if i can  match across tcp/http packets types? For example in my rule I will like to identify if an 
individual (I'm assuming I can use source ip and port for this?) is sending/receiving the following packet scenario;

1) a tcp syn sent to the client followed by...
2) a http POST from the client to certain URL for example "POST /someurl" followed by...
3) a http payload to the client for example beginning with "HTTP/1.1 200 OK..." followed by...
4) a tcp fin to the client

As you can see my example spans across tcp headers and http headers/payload in both directions.

Is this mix/combination of tcp & http inspect possible with Snort rules?

Many thanks,

Andy.

Sent from my iPad
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!