[Snort-sigs] Using within after http_headers

Mike Cox mike.cox52 at ...2420...
Fri Apr 30 12:35:43 EDT 2010


I'm testing some rules and it seems that using the within content
modifier on a content match that is relative to a previous content
match and uses the http_headers content modifier does not work.  For
example, this is the original rule that is not alerting:

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Testing Referer";
flow:established,to_server; content:"|0d 0a|Referer\: "; nocase;
http_header; content:!"google.com"; nocase; within:50;
classtype:bad-unknown; rev:1; sid:7500010;)

But if I remove the within OR the http_header content modifiers, the
rule alerts.  So both these alert:

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Testing Referer";
flow:established,to_server; content:"|0d 0a|Referer\: "; nocase;
content:!"google.com"; nocase; within:50; classtype:bad-unknown;
rev:1; sid:7500010;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Testing Referer";
flow:established,to_server; content:"|0d 0a|Referer\: "; nocase;
http_header; content:!"google.com"; nocase; classtype:bad-unknown;
rev:1; sid:7500010;)

Is there some weird stuff going on with the HTTP header buffer such
that subsequent within content modifiers don't work?  If so, is this
as designed?

Thanks.

-Mike Cox




More information about the Snort-sigs mailing list