<div dir="ltr"><div>Thanks James we are taking a look at it.<br><br></div>Thanks,<br><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><span>Carlos Pacho<br>Research Engineer, VRT<br>
Sourcefire, now part of Cisco<br><a href="mailto:cpacho@...435..." target="_blank">cpacho@...435...</a><br><a href="http://www.sourcefire.com/" target="_blank">Sourcefire.com</a></span></div></div>
<br><br><div class="gmail_quote">On Thu, Nov 14, 2013 at 12:09 PM, James Lay <span dir="ltr"><<a href="mailto:jlay@...3266..." target="_blank">jlay@...3266...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On 2013-11-14 09:00, <a href="mailto:lists@...3397...">lists@...3397...</a> wrote:<br>
> On 11/14/2013 09:47 AM, James Lay wrote:<br>
>> content:"GET |2f|HNAP1|2f|<br>
>> HTTP|2f|1.1"; http_raw_uri; fast_pattern:only<br>
>> content:"Authorization|3a|<br>
>> Basic YWRtaW46"; http_header; metadata:policy balanced-ips drop,<br>
>> policy<br>
>> security-ips drop, ruleset community, service<br>
>><br>
>> http;reference:url,<a href="http://www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf" target="_blank">www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf</a>;<br>
>> classtype:bad-unknown; sid:10000112; rev:1;)<br>
>><br>
>> I'm not sure if I need to use http_uri or http_raw_uri....does<br>
>> normalizing remove the HTTP/1.1?  Thanks all.<br>
><br>
> It actually won't be there, that or the http method.  I'd probably<br>
> write it like<br>
> this (not saying I'm right)<br>
><br>
> content:"GET|20 2f|HNAP1|2f 20|HTTP|2f|1.1|0d 0a|";<br>
> fast_pattern:only;<br>
> content:"Authorization|3a 20|Basic YWRtaW46"; http_header;<br>
><br>
><br>
> Cheers,<br>
> Nathan<br>
<br>
</div>Thanks Nathan...gonna mod my sig and run in production and see how it<br>
goes.<br>
<span class="HOEnZb"><font color="#888888"><br>
James<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
------------------------------------------------------------------------------<br>
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps<br>
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access<br>
Free app hosting. Or install the open source package on any LAMP server.<br>
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!<br>
<a href="http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk" target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk</a><br>
_______________________________________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@...639...forge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br>
<a href="http://www.snort.org" target="_blank">http://www.snort.org</a><br>
<br>
<br>
Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br>
</div></div></blockquote></div><br></div></div>