Snort mailing list archives
Re: http_header not working
From: Stephen Gantz <stephen.gantz () faculty umuc edu>
Date: Fri, 26 Sep 2014 09:32:21 -0400
Are you testing with an actual website? What are you using to send the GET request? It's not clear to me why the "test" string would be in the http header unless it is sent by or coming from a web server. You might try changing your content match string to the URL of an actual website. Dr. Stephen D. Gantz CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO Professor of Information Assurance The Graduate School University of Maryland University College stephen.gantz () faculty umuc edu
On Sep 26, 2014, at 8:29 AM, NIDS TEAM <nidsteam () gmail com> wrote: Hi I just encounter a problem with the http_* keywords in Snort rules. There is a GET request to www.anywebsite.com/test The following signature triggers: alert ip any any -> any any (content:"test"; msg:"Test Signature"; sid:"9999999"; rev:1); The following signatures do not: alert ip any any -> any any (content:"test"; http_header; msg:"Test Signature"; sid:"9999998"; rev:1); alert ip any any -> any any (content:"test"; http_uri; msg:"Test Signature"; sid:"9999997"; rev:1); Does anyone have an idea why? I tested the behaviour with: - Security Onion - Snort 2.9.5.6 Default shipped configuration plus the above rules - Ubuntu Snort download off the shelf - Snort 2.9.6.0 - Latest and greatest compiled - Snort 2.9.6.2 There is always the same behaviour. Thanks already guido ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- http_header not working NIDS TEAM (Sep 26)
- Re: http_header not working Shirkdog (Sep 26)
- Re: http_header not working NIDS TEAM (Sep 26)
- Re: http_header not working Stephen Gantz (Sep 26)
- Re: http_header not working NIDS TEAM (Sep 26)
- Re: http_header not working Joel Esler (jesler) (Sep 26)
- Re: http_header not working NIDS TEAM (Sep 26)
- Re: http_header not working Joel Esler (jesler) (Sep 26)
- Re: http_header not working NIDS TEAM (Sep 26)
- Re: http_header not working Joel Esler (jesler) (Sep 26)
- Re: http_header not working NIDS TEAM (Sep 29)
- Re: http_header not working waldo kitty (Sep 29)
- Re: http_header not working NIDS TEAM (Sep 26)
- Re: http_header not working Shirkdog (Sep 26)
- Re: http_header not working NIDS TEAM (Sep 29)