http_header usage

[Cagri Ersen <cagri.ersen () gmail com>]

Hi there,

I have a problem with the http_header option, I just wrote a rule like
below but it doesn't fire the alerts:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Test rule";
flow:to_server; content:"GET"; http_header; sid:1;)

However, if I remove the http_header; then snort generate alerts as
expected.

Also it seems all http_keywords are noneffective... (http inspect is turned
on with default values in snort.conf) I read the documentation and searched
on the mailing list archive to find a solution without any luck.

I would be very appreciated if someone point out my mistake with the rules
or the setup.

Cagri

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!