Snort mailing list archives
http_header usage
From: Cagri Ersen <cagri.ersen () gmail com>
Date: Tue, 22 Apr 2014 02:23:01 +0300
Hi there, I have a problem with the http_header option, I just wrote a rule like below but it doesn't fire the alerts: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Test rule"; flow:to_server; content:"GET"; http_header; sid:1;) However, if I remove the http_header; then snort generate alerts as expected. Also it seems all http_keywords are noneffective... (http inspect is turned on with default values in snort.conf) I read the documentation and searched on the mailing list archive to find a solution without any luck. I would be very appreciated if someone point out my mistake with the rules or the setup. Cagri
------------------------------------------------------------------------------ Start Your Social Network Today - Download eXo Platform Build your Enterprise Intranet with eXo Platform Software Java Based Open Source Intranet - Social, Extensible, Cloud Ready Get Started Now And Turn Your Intranet Into A Collaboration Platform http://p.sf.net/sfu/ExoPlatform
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- http_header usage Cagri Ersen (Apr 21)
- Re: http_header usage lists () packetmail net (Apr 21)
- Re: http_header usage Cagri Ersen (Apr 22)
- Re: http_header usage lists () packetmail net (Apr 22)
- Re: http_header usage Cagri Ersen (Apr 22)
- Re: http_header usage Cagri Ersen (Apr 22)
- Re: http_header usage lists () packetmail net (Apr 21)