Snort mailing list archives
Re: Matching http_cookie content
From: "Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Wed, 10 Apr 2024 13:34:53 +0000
No, not necessarily. I don't know what the traffic looked like that they wrote the rule on. I edited the rule to match the traffic that your script generated just as an example. Albert Lewis Email: allewi () cisco com<mailto:allewi () cisco com> ________________________________ From: Stephen Reese <rsreese () gmail com> Sent: Monday, April 8, 2024 8:27 AM To: Al Lewis (allewi) <allewi () cisco com> Cc: Alex Tatistcheff <alext () pobox com>; snort-sigs () lists snort org <snort-sigs () lists snort org> Subject: Re: [Snort-sigs] Matching http_cookie content On Sun, Apr 7, 2024 at 10:02 PM Al Lewis (allewi) <allewi () cisco com> wrote:
Using your script, if the http_cookie keyword is added it alerts. Files used are attached.
Does this mean the rule that is being distributed is broken?
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Re: Matching http_cookie content Stephen Reese via Snort-sigs (Apr 04)
- Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 04)
- Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 07)
- Re: Matching http_cookie content Stephen Reese via Snort-sigs (Apr 10)
- Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 10)
- Re: Matching http_cookie content Joel Esler via Snort-sigs (Apr 10)
- Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 07)
- Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 04)