Snort mailing list archives

Re: Matching http_cookie content

From: Stephen Reese via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 3 Apr 2024 08:25:55 -0400

On Fri, May 12, 2023 at 10:29 AM Alex Tatistcheff <alext () pobox com> wrote:

I would first simplify the Talos rule until you get it to alert. Then add
keywords back in until you find the culprit. Unless you've done this you
dont know what part of the rule is not matching.


Thanks, I do not have an issue generating requests using the Scapy or
sockets library for most rules, it's a handful of rules related to
http_cookie and http_client_body that are troublesome. The pattern I see in
the rules I am unable to trigger is related to rules having a content
option defined twice whereas other rules only have the content option once.

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Re: Matching http_cookie content Stephen Reese via Snort-sigs (Apr 04)
- Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 04)
  - Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 07)
    - Re: Matching http_cookie content Stephen Reese via Snort-sigs (Apr 10)
    - Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 10)
    - Re: Matching http_cookie content Joel Esler via Snort-sigs (Apr 10)