Snort mailing list archives
Re: http_header usage
From: "lists () packetmail net" <lists () packetmail net>
Date: Mon, 21 Apr 2014 19:35:40 -0500
Hi, On 04/21/2014 06:23 PM, Cagri Ersen wrote:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Test rule"; flow:to_server; content:"GET"; http_header; sid:1;) However, if I remove the http_header; then snort generate alerts as expected.
You want to use the http_method normalized buffer, RFC 2616 considers "GET" an HTTP method. I know, one would say "But http_cookie, http_method, http_uri, etc should all be included in http_header!" but these are performance-optimized normalized buffers that are exclusive of each-other, not inclusive. Without seeing your snort.conf, I believe the below should fire on every HTTP request: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Test rule"; flow:to_server; content:"GET"; http_method; sid:1;) Cheers, Nathan Fowler ------------------------------------------------------------------------------ Start Your Social Network Today - Download eXo Platform Build your Enterprise Intranet with eXo Platform Software Java Based Open Source Intranet - Social, Extensible, Cloud Ready Get Started Now And Turn Your Intranet Into A Collaboration Platform http://p.sf.net/sfu/ExoPlatform _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- http_header usage Cagri Ersen (Apr 21)
- Re: http_header usage lists () packetmail net (Apr 21)
- Re: http_header usage Cagri Ersen (Apr 22)
- Re: http_header usage lists () packetmail net (Apr 22)
- Re: http_header usage Cagri Ersen (Apr 22)
- Re: http_header usage Cagri Ersen (Apr 22)
- Re: http_header usage lists () packetmail net (Apr 21)