[Snort-sigs] question about sid:2570

Brian bmc at ...95...
Thu Jul 15 07:32:04 EDT 2004


On Thu, Jul 15, 2004 at 08:07:19AM -0400, Miner, Jonathan W (CSC) (US SSA) wrote:
> I'm trying to understand why I'm getting hits on this rule:
> 
> http://www.snort.org/snort-db/sid.html?sid=2570
> 
> from the following packet. If understand the rule correctly, it is
> looking for the '0A' within five bytes from the end of the 'HTTP/'
> string. Right?

Because of this:

> 190 : 32 36 2E 35 32 2E 31 34 39 0D 0A 56 69 61 3A 20   26.52.149..Via: 
> 1a0 : 48 54 54 50 2F 31 2E 30 20 20 28 49 42 4D 2D 50   HTTP/1.0  (IBM-P
> 1b0 : 52 4F 58 59 2D 46 57 29 2C 20 31 2E 31 20 70 6C   ROXY-FW), 1.1 pl
> 1c0 : 75 74 6F 20 28 4E 65 74 43 61 63 68 65 20 4E 65   uto (NetCache Ne
> 1d0 : 74 41 70 70 2F 35 2E 33 2E 31 52 32 29 0D 0A 0D   tApp/5.3.1R2)...
> 1e0 : 0A 

This rule should probably be moved into a feature of http_inspect.

Brian




More information about the Snort-sigs mailing list