Re: http_header usage

["lists () packetmail net" <lists () packetmail net>]

Hi,

On 04/21/2014 06:23 PM, Cagri Ersen wrote:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Test rule";
> flow:to_server; content:"GET"; http_header; sid:1;)
>
> However, if I remove the http_header; then snort generate alerts as expected. 

You want to use the http_method normalized buffer, RFC 2616 considers "GET" an
HTTP method.  I know, one would say "But http_cookie, http_method, http_uri, etc
should all be included in http_header!" but these are performance-optimized
normalized buffers that are exclusive of each-other, not inclusive.

Without seeing your snort.conf, I believe the below should fire on every HTTP
request:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Test rule";
flow:to_server; content:"GET"; http_method; sid:1;)

Cheers,
Nathan Fowler

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!