[Snort-users] Need help with byte_test

Joel Esler jesler at ...1935...
Tue Feb 12 08:13:39 EST 2013


On Feb 12, 2013, at 1:46 AM, sandeep mlist <sandy.mlist at ...11827...> wrote:

> Hi,
> I need to test if a content-length is zero. Here is the response 
> "HTTP/1.1 200 OK
> Date: Wed, 23 Jan 2013 23:44:06 GMT
> Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
> Last-Modified: Wed, 23 Jan 2013 23:39:47 GMT
> ETag: "0-4d3fd35aaeb66"
> Accept-Ranges: bytes
> Content-Length: 0"
> 
> I am checking for "content:"|0a|content-length:" and i need to test if length is zero using byte_test. Please help me.

If you aren't testing a complex value, just use a content match "content:"Content-Length|3a 20|0|0d 0a|"; http_header

But if you insist

content:"Content-Length|3a 20|"; byte_test:1,=,0,0,relative;


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130212/c72fae9c/attachment.html>


More information about the Snort-users mailing list