[Snort-sigs] Question on http_client_body

Will Metcalf william.metcalf at ...2420...
Mon Jul 2 09:31:23 EDT 2012


James,

The keyword you are looking for is file_data;
http://manual.snort.org/node32.html#SECTION004525000000000000000. Note
that in newer versions of snort it is a sticky buffer.  In 2.9.0.x it
simply sets an inspection pointer on which you perform relative
matches to.

Regards,

Will
On Mon, Jul 2, 2012 at 7:50 AM, James Lay <jlay at ...3266...> wrote:
> Hey all,
>
> I'm trying to find out if there's a content matching option to start searching a packet AFTER the http header.  I see http_client_body comes close, but this matches the client request…is there something I can use to match the server response?  Thanks all.
>
> James
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-sigs mailing list