[Snort-sigs] http_header

Mike Messick mikem at ...1951...
Fri Jan 15 23:03:25 EST 2010


No - but when I modify the rule to:

alert tcp any any -> any $HTTP_PORTS (msg: "HTTP traffic to microsoft.com"; content:"microsoft.com"; nocase; sid:3000004;)

it will fire if I type 'microsoft.com' into the search window on 
www.microsoft.com.

gahh... This feels obvious, but I'm just not seeing it yet.

-Mike.


evilghost at ...3397... wrote:
> Mike, I'm curious, does this work?
>
> alert tcp any any -> any $HTTP_PORTS (msg: "HTTP traffic to 
> www.microsoft.com"; content:"|0d 0a|Host\: www.microsoft.com|0d 0a|"; nocase; 
> sid:3000004;)
>
> Note, I did not specify an HTTP method so there is potential to false against body content.
>
> PS - Todd says I don't need to escape colon, I'm old school.
>
> -evilghost
>
>
>
>
>
> Mike Messick wrote:
>   
>> Hi Folks,
>>
>> I'm trying to write some rules that will alert whenever a specific http 
>> host is requested by a client.  For example:
>>
>> alert tcp any any -> any $HTTP_PORTS (msg: "HTTP traffic to 
>> www.microsoft.com"; content: "www.microsoft.com"; http_header; nocase; 
>> sid:3000004;)
>>
>> However I cannot get this rule to alert.  What am I doing wrong? 
>>
>> I did notice this in the release notes for 2.8.6 Beta:
>> [*] New Additions
>>    * HTTP Inspect now splits requests into 5 components -
>>      Method, URI, Header (non-cookie), Cookies, Body.
>>      Content and PCRE rule options can now search one or more of these
>>
>> I'm currently using 2.8.5.1; do I need to upgrade to 2.8.6 beta? 
>>
>> Any help will be most appreciated.
>>
>> Thanks,
>> -Mike.
>>
>>
>> ------------------------------------------------------------------------------
>> Throughout its 18-year history, RSA Conference consistently attracts the
>> world's best and brightest in the field, creating opportunities for Conference
>> attendees to learn about information security's most important issues through
>> interactions with peers, luminaries and emerging and established companies.
>> http://p.sf.net/sfu/rsaconf-dev2dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>   
>>     





More information about the Snort-sigs mailing list