Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http_header not working

From: Stephen Gantz <stephen.gantz () faculty umuc edu>
Date: Fri, 26 Sep 2014 09:32:21 -0400
Are you testing with an actual website? What are you using to send the GET request? It's not clear to me why the "test" 
string would be in the http header unless it is sent by or coming from a web server. You might try changing your 
content match string to the URL of an actual website. 

Dr. Stephen D. Gantz
CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO
Professor of Information Assurance
The Graduate School
University of Maryland University College
stephen.gantz () faculty umuc edu


On Sep 26, 2014, at 8:29 AM, NIDS TEAM <nidsteam () gmail com> wrote:

Hi

I just encounter a problem with the http_* keywords in Snort rules. There is a GET request to www.anywebsite.com/test

The following signature triggers:
alert ip any any -> any any (content:"test"; msg:"Test Signature"; sid:"9999999"; rev:1);

The following signatures do not:
alert ip any any -> any any (content:"test"; http_header; msg:"Test Signature"; sid:"9999998"; rev:1);
alert ip any any -> any any (content:"test"; http_uri; msg:"Test Signature"; sid:"9999997"; rev:1);

Does anyone have an idea why?

I tested the behaviour with:
- Security Onion - Snort 2.9.5.6
  Default shipped configuration plus the above rules
- Ubuntu Snort download off the shelf - Snort 2.9.6.0
- Latest and greatest compiled - Snort 2.9.6.2

There is always the same behaviour.

Thanks already 
guido
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: