[Snort-sigs] http_header

Mike Messick mikem at ...1951...
Fri Jan 15 15:37:43 EST 2010


Hi Folks,

I'm trying to write some rules that will alert whenever a specific http 
host is requested by a client.  For example:

alert tcp any any -> any $HTTP_PORTS (msg: "HTTP traffic to 
www.microsoft.com"; content: "www.microsoft.com"; http_header; nocase; 
sid:3000004;)

However I cannot get this rule to alert.  What am I doing wrong? 

I did notice this in the release notes for 2.8.6 Beta:
[*] New Additions
   * HTTP Inspect now splits requests into 5 components -
     Method, URI, Header (non-cookie), Cookies, Body.
     Content and PCRE rule options can now search one or more of these

I'm currently using 2.8.5.1; do I need to upgrade to 2.8.6 beta? 

Any help will be most appreciated.

Thanks,
-Mike.





More information about the Snort-sigs mailing list