I think the packets are correct.  I guess the situation is, when you have encoding such as multipart/form-data, some header fields like Content-Disposition can end up in the body of the message.  Thus, snort rules matching on such headers and using the http_header buffer, won't match as intended.  Make sense?<br>
<br>I was wondering if it was possible for http_inspect to realize this situation and populate the http_header buffer with the headers from the body so that rules matching on things like Content-Disposition in http_header will still alert properly with situations such as multipart/form data encoding.<br>
<br>Thanks!<br><br>-Mike Cox<br><br><div class="gmail_quote">On Thu, Oct 25, 2012 at 4:35 PM, Joel Esler <span dir="ltr"><<a href="mailto:jesler@...435..." target="_blank">jesler@...435...</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div class="im"><div><div>On Oct 25, 2012, at 4:35 PM, <a href="mailto:lists@...202....3397..." target="_blank">lists@...3397...</a> wrote:</div>
<blockquote type="cite"><span style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">On 10/25/2012 03:07 PM, Joel Esler wrote:</span><br style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<blockquote type="cite" style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
Am I still missing the point?  Am I insane?  <br></blockquote><br style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<span style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">You're missing RFC 6266 which updates RFC 2616 ;)</span></blockquote>
</div><br></div><div>There isn't anything in that rfc that alerts the behavior of where the header ends.</div><div><br></div><div>My point is, I think, if I'm right, is whatever program is generating the packets that Mike is talking about isn't doing so correctly.</div>
<div class="im"><div><br></div><div><span style="font-size:12px;font-family:'Lucida Grande'">--</span><br><span style="font-size:12px;font-family:'Lucida Grande'"><b>Joel Esler</b></span><br><span style="font-size:12px;font-family:'Lucida Grande'">Senior Research Engineer, VRT</span><br>
<span style="font-size:12px;font-family:'Lucida Grande'">OpenSource Community Manager</span><br><span style="font-size:12px;font-family:'Lucida Grande'">Sourcefire</span></div></div></div></blockquote></div>
<br>