Snort mailing list archives

Re: Matching http_cookie content

From: "Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Wed, 10 Apr 2024 13:34:53 +0000

No, not necessarily. I don't know what the traffic looked like that they wrote the rule on.

I edited the rule to match the traffic that your script generated just as an example.


Albert Lewis

Email: allewi () cisco com<mailto:allewi () cisco com>

________________________________
From: Stephen Reese <rsreese () gmail com>
Sent: Monday, April 8, 2024 8:27 AM
To: Al Lewis (allewi) <allewi () cisco com>
Cc: Alex Tatistcheff <alext () pobox com>; snort-sigs () lists snort org <snort-sigs () lists snort org>
Subject: Re: [Snort-sigs] Matching http_cookie content

On Sun, Apr 7, 2024 at 10:02 PM Al Lewis (allewi) <allewi () cisco com> wrote:


Using your script, if the http_cookie keyword is added it alerts. Files used are attached.


Does this mean the rule that is being distributed is broken?

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Re: Matching http_cookie content Stephen Reese via Snort-sigs (Apr 04)
- Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 04)
  - Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 07)
    - Re: Matching http_cookie content Stephen Reese via Snort-sigs (Apr 10)
    - Re: Matching http_cookie content Al Lewis (allewi) via Snort-sigs (Apr 10)
    - Re: Matching http_cookie content Joel Esler via Snort-sigs (Apr 10)