Snort mailing list archives
Rules across tcp headers & http headers/payload
From: Andy Richards <andy.richards.iit () gmail com>
Date: Mon, 4 Mar 2013 10:50:13 +0000
Hi, Im new to snort and a trying to evaluate if i can write a custom snort rule which can filter/match across top headers and http headers/payload. I understand that the Stream5 pre processor is probably the way I need to go however from the documentation I can't fathom out if i can match across tcp/http packets types? For example in my rule I will like to identify if an individual (I'm assuming I can use source ip and port for this?) is sending/receiving the following packet scenario; 1) a tcp syn sent to the client followed by... 2) a http POST from the client to certain URL for example "POST /someurl" followed by... 3) a http payload to the client for example beginning with "HTTP/1.1 200 OK..." followed by... 4) a tcp fin to the client As you can see my example spans across tcp headers and http headers/payload in both directions. Is this mix/combination of tcp & http inspect possible with Snort rules? Many thanks, Andy. Sent from my iPad ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rules across tcp headers & http headers/payload Andy Richards (Mar 04)
- Re: Rules across tcp headers & http headers/payload waldo kitty (Mar 04)
- Re: Rules across tcp headers & http headers/payload lists () packetmail net (Mar 04)
- Re: Rules across tcp headers & http headers/payload Andy Richards (Mar 05)
- Re: Rules across tcp headers & http headers/payload lists () packetmail net (Mar 05)
- Re: Rules across tcp headers & http headers/payload Andy Richards (Mar 05)