[Snort-sigs] http_header issues, Snort 2.8.5.3

evilghost at ...3397... evilghost at ...3397...
Thu Apr 1 10:22:40 EDT 2010


Hello, I am running Snort 2.8.5.3 and it appears that either 
http_header; is not working correctly, does not work with a relative 
keyword, or I do not understand http_header; correctly.  I am attempting 
to constrain a content match to the http_header for performance reasons.

Note, no need to recommend isdataat, I know there is data within 1024 
bytes past the previous content match.

Does NOT work:
    uricontent:"/login.php"; fast_pattern; content:"|0d 0a|Cookie\: "; 
nocase; http_header; content:"ieatbugs="; within:1024;

Does work:
    uricontent:"/login.php"; fast_pattern; content:"|0d 0a|Cookie\: "; 
nocase; content:"ieatbugs="; within:1024;

Comments/insight appreciated.

-evilghost




More information about the Snort-sigs mailing list