[Snort-sigs] http_header

Rodrigo Montoro(Sp0oKeR) spooker at ...2420...
Fri Jan 15 21:40:46 EST 2010


I just tested your rule and work fine

root at ...3445...:/etc/snort# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.5.1 (Build 114)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
           Using PCRE version: 7.8 2008-09-05

root at ...3445...:/etc/snort#


root at ...3445...:/etc/snort# snort -c snort-localrules.conf -A console -K none
-q

01/16-00:32:29.872188  [**] [1:3000004:0] HTTP traffic to
www.microsoft.com[**] [Priority: 0] {TCP}
192.168.0.100:56345 -> 65.55.12.249:80
01/16-00:32:30.097842  [**] [1:3000004:0] HTTP traffic to
www.microsoft.com[**] [Priority: 0] {TCP}
192.168.0.100:56345 -> 65.55.12.249:80
01/16-00:32:30.375011  [**] [1:3000004:0] HTTP traffic to
www.microsoft.com[**] [Priority: 0] {TCP}
192.168.0.100:42317 -> 201.6.1.142:80
01/16-00:32:30.379649  [**] [1:3000004:0] HTTP traffic to
www.microsoft.com[**] [Priority: 0] {TCP}
192.168.0.100:42318 -> 201.6.1.142:80


Snort 2.8.6beta has more features but you don't need it for this rule.

How are you starting your snort ?


Regards,


On Fri, Jan 15, 2010 at 6:37 PM, Mike Messick <
mikem at ...1951...> wrote:

> Hi Folks,
>
> I'm trying to write some rules that will alert whenever a specific http
> host is requested by a client.  For example:
>
> alert tcp any any -> any $HTTP_PORTS (msg: "HTTP traffic to
> www.microsoft.com"; content: "www.microsoft.com"; http_header; nocase;
> sid:3000004;)
>
> However I cannot get this rule to alert.  What am I doing wrong?
>
> I did notice this in the release notes for 2.8.6 Beta:
> [*] New Additions
>   * HTTP Inspect now splits requests into 5 components -
>     Method, URI, Header (non-cookie), Cookies, Body.
>     Content and PCRE rule options can now search one or more of these
>
> I'm currently using 2.8.5.1; do I need to upgrade to 2.8.6 beta?
>
> Any help will be most appreciated.
>
> Thanks,
> -Mike.
>
>
>
> ------------------------------------------------------------------------------
> Throughout its 18-year history, RSA Conference consistently attracts the
> world's best and brightest in the field, creating opportunities for
> Conference
> attendees to learn about information security's most important issues
> through
> interactions with peers, luminaries and emerging and established companies.
> http://p.sf.net/sfu/rsaconf-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-- 
Rodrigo Montoro (Sp0oKeR)
http://www.spooker.com.br
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100116/c1b1acca/attachment.html>


More information about the Snort-sigs mailing list