[Snort-sigs] Rules across tcp headers & http headers/payload
andy.richards.iit at ...2420...
Mon Mar 4 05:50:13 EST 2013
Im new to snort and a trying to evaluate if i can write a custom snort rule which can filter/match across top headers and http headers/payload.
I understand that the Stream5 pre processor is probably the way I need to go however from the documentation I can't fathom out if i can match across tcp/http packets types? For example in my rule I will like to identify if an individual (I'm assuming I can use source ip and port for this?) is sending/receiving the following packet scenario;
1) a tcp syn sent to the client followed by...
2) a http POST from the client to certain URL for example "POST /someurl" followed by...
3) a http payload to the client for example beginning with "HTTP/1.1 200 OK..." followed by...
4) a tcp fin to the client
As you can see my example spans across tcp headers and http headers/payload in both directions.
Is this mix/combination of tcp & http inspect possible with Snort rules?
Sent from my iPad
More information about the Snort-sigs