[Snort-users] http_* keywords

Bhagya Bantwal bbantwal at ...1935...
Wed Aug 25 17:45:04 EDT 2010

There is no configuration option to turn off the HTTP request URI extraction
and detection in HTTP. By default all the http buffers are extracted by
snort (except cookie buffer).

The option inspect_uri_only should however turn off all other http keywords.
It seems to be broken and will be fixed in the next release.

On Thu, Aug 19, 2010 at 6:37 PM, Eoin Miller <
eoin.miller at ...14586...> wrote:

>  So if a rule has an http_* keyword (http_uri, http_client_body,
> http_method) but the snort configuration does not allow the use of it
> because it is missing in the http_inspect configuration section, why
> does the rule choose to match and fire for that content that is using
> that keyword modifier?
> -- Eoin
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100825/2e6060bb/attachment.html>

More information about the Snort-users mailing list