[Snort-sigs] Using within after http_headers

Joel Esler jesler at ...435...
Fri Apr 30 12:47:06 EDT 2010


Correct.  Since this is a normalized field (similar to uricontent), you
can't have a relative statement to a normalized http field like that.

This is as designed.

On Fri, Apr 30, 2010 at 12:35 PM, Mike Cox <mike.cox52 at ...2420...> wrote:

> I'm testing some rules and it seems that using the within content
> modifier on a content match that is relative to a previous content
> match and uses the http_headers content modifier does not work.  For
> example, this is the original rule that is not alerting:
>
> alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Testing Referer";
> flow:established,to_server; content:"|0d 0a|Referer\: "; nocase;
> http_header; content:!"google.com"; nocase; within:50;
> classtype:bad-unknown; rev:1; sid:7500010;)
>
> But if I remove the within OR the http_header content modifiers, the
> rule alerts.  So both these alert:
>
> alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Testing Referer";
> flow:established,to_server; content:"|0d 0a|Referer\: "; nocase;
> content:!"google.com"; nocase; within:50; classtype:bad-unknown;
> rev:1; sid:7500010;)
>
> alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Testing Referer";
> flow:established,to_server; content:"|0d 0a|Referer\: "; nocase;
> http_header; content:!"google.com"; nocase; classtype:bad-unknown;
> rev:1; sid:7500010;)
>
> Is there some weird stuff going on with the HTTP header buffer such
> that subsequent within content modifiers don't work?  If so, is this
> as designed?
>
> Thanks.
>
> -Mike Cox
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100430/0b6bc745/attachment.html>


More information about the Snort-sigs mailing list