[Snort-sigs] Using within after http_headers

Will Metcalf william.metcalf at ...2420...
Fri Apr 30 15:21:15 EDT 2010


> Correct.  Since this is a normalized field (similar to uricontent), you
> can't have a relative statement to a normalized http field like that.
> This is as designed.
>
This is not entirely accurate ;-)...  For example some of the
spyware-put rules mix uricontent,content and distance:0

Also from my tests you can mix http_client_body and http_uri with
distance and within, but it fails always for cookie and header.  Also
with http_uri just like uricontent if you encode the url distance and
within doesn't work.

Regards,

Will

On Fri, Apr 30, 2010 at 11:47 AM, Joel Esler <jesler at ...435...> wrote:

> On Fri, Apr 30, 2010 at 12:35 PM, Mike Cox <mike.cox52 at ...2420...> wrote:
>>
>> I'm testing some rules and it seems that using the within content
>> modifier on a content match that is relative to a previous content
>> match and uses the http_headers content modifier does not work.  For
>> example, this is the original rule that is not alerting:
>>
>> alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Testing Referer";
>> flow:established,to_server; content:"|0d 0a|Referer\: "; nocase;
>> http_header; content:!"google.com"; nocase; within:50;
>> classtype:bad-unknown; rev:1; sid:7500010;)
>>
>> But if I remove the within OR the http_header content modifiers, the
>> rule alerts.  So both these alert:
>>
>> alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Testing Referer";
>> flow:established,to_server; content:"|0d 0a|Referer\: "; nocase;
>> content:!"google.com"; nocase; within:50; classtype:bad-unknown;
>> rev:1; sid:7500010;)
>>
>> alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Testing Referer";
>> flow:established,to_server; content:"|0d 0a|Referer\: "; nocase;
>> http_header; content:!"google.com"; nocase; classtype:bad-unknown;
>> rev:1; sid:7500010;)
>>
>> Is there some weird stuff going on with the HTTP header buffer such
>> that subsequent within content modifiers don't work?  If so, is this
>> as designed?
>>
>> Thanks.
>>
>> -Mike Cox
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>




More information about the Snort-sigs mailing list