[Snort-devel] question about http false positive ...

Chris Green cmg at ...402...
Mon Aug 12 05:48:03 EDT 2002


fde <fde at ...1415...> writes:

> Hello,
>
> I am a question on http protocol,
>
> exist there in snort a means of filtering HTTP header ? : YES !
>
> but is there a means of collecting the response of the srv ?
>
> and of, determine if the request has to relate to the srv ?
> (like nfr)
>
> example clt : GET /rdo HTTP/1.0
> example srv : HTTP/1.1 404 Not found ....
>
> if it is said that the request is an attack, one can say that it is
> less significant because the srv answered well ...


Response code intellengence is a wishlist feature that can be built
off of the stream4 or conversation structures if there are
enterprising individuals.  At teh moment, theres no way to postpone
the alert message to make it a specific priority depending ont he
resposne code. 
-- 
Chris Green <cmg at ...402...>
Laugh and the world laughs with you, snore and you sleep alone.




More information about the Snort-devel mailing list