[Snort-sigs] Rules across tcp headers & http headers/payload

Andy Richards andy.richards.iit at ...2420...
Mon Mar 4 05:50:13 EST 2013


Im new to snort and a trying to evaluate if i can write a custom snort rule which can filter/match across top headers and http headers/payload. 

I understand that the Stream5 pre processor is probably the way I need to go however from the documentation I can't fathom out if i can  match across tcp/http packets types? For example in my rule I will like to identify if an individual (I'm assuming I can use source ip and port for this?) is sending/receiving the following packet scenario;

1) a tcp syn sent to the client followed by...
2) a http POST from the client to certain URL for example "POST /someurl" followed by...
3) a http payload to the client for example beginning with "HTTP/1.1 200 OK..." followed by...
4) a tcp fin to the client

As you can see my example spans across tcp headers and http headers/payload in both directions.

Is this mix/combination of tcp & http inspect possible with Snort rules?

Many thanks,


Sent from my iPad

More information about the Snort-sigs mailing list