[Snort-sigs] Rules across tcp headers & http headers/payload

waldo kitty wkitty42 at ...3507...
Mon Mar 4 13:01:04 EST 2013

On 3/4/2013 05:50, Andy Richards wrote:
> Hi,
> Im new to snort and a trying to evaluate if i can write a custom snort rule which can filter/match across top headers and http headers/payload.
> I understand that the Stream5 pre processor is probably the way I need to go however from the documentation I can't fathom out if i can  match across tcp/http packets types? For example in my rule I will like to identify if an individual (I'm assuming I can use source ip and port for this?) is sending/receiving the following packet scenario;
> 1) a tcp syn sent to the client followed by...
> 2) a http POST from the client to certain URL for example "POST /someurl" followed by...
> 3) a http payload to the client for example beginning with "HTTP/1.1 200 OK..." followed by...
> 4) a tcp fin to the client
> As you can see my example spans across tcp headers and http headers/payload in both directions.
> Is this mix/combination of tcp&  http inspect possible with Snort rules?

if the connection traffic all takes place in the same session, you might be able 
to do this... you'll need to look at checking and setting flowbits...

i've done something similar but it doesn't work as desired when the traffic is 
in different sessions... at that time, flowbits were not working across 
sessions... they may now in the 2.9 series of snort...

More information about the Snort-sigs mailing list