[Snort-sigs] sid:2278 will never fire with 2.8.6

Will Metcalf william.metcalf at ...2420...
Wed May 12 23:38:36 EDT 2010


The modifications you have made to sid:2278 in the 2.8.6 rules will
cause this sig to never fire.  You can't use a http_header content
modifier in conjunction with a byte_test,relative match in 2.8.6.
Actually it looks like the bug still exists where you can't use
byte_test in conjunction with the http_header keyword in the same rule
even if it isn't relative.  For example if you modify the sig to use
use an absolute offset of 73 (using the attached pcap)  rather than a
relative offset and just have the http_header match present in the
same rule the sig won't fire.  If you simply remove the http_header
modifer in either case the sig fires with a relative or absolute
offset.

Regards,

Will
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ncontentlen.pcap
Type: application/cap
Size: 2527 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100512/5b028d48/attachment.bin>


More information about the Snort-sigs mailing list