http_header not working

[NIDS TEAM <nidsteam () gmail com>]

Hi

I just encounter a problem with the http_* keywords in Snort rules. There
is a GET request to www.anywebsite.com/test

The following signature triggers:
alert ip any any -> any any (content:"test"; msg:"Test Signature";
sid:"9999999"; rev:1);

The following signatures do not:
alert ip any any -> any any (content:"test"; http_header; msg:"Test
Signature"; sid:"9999998"; rev:1);
alert ip any any -> any any (content:"test"; http_uri; msg:"Test
Signature"; sid:"9999997"; rev:1);

Does anyone have an idea why?

I tested the behaviour with:
- Security Onion - Snort 2.9.5.6
  Default shipped configuration plus the above rules
- Ubuntu Snort download off the shelf - Snort 2.9.6.0
- Latest and greatest compiled - Snort 2.9.6.2

There is always the same behaviour.

Thanks already
guido

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!