[Snort-users] Need help with byte_test

waldo kitty wkitty42 at ...14940...
Tue Feb 12 14:20:26 EST 2013


On 2/12/2013 13:50, Jeremy Hoel wrote:
> I believe you could add a 'no-case' so that it checked content-length
> and Content-Length, correct?

sure one could do that but why? i'm not aware of any other format than 
"Content-Length:" being proper and allowed for... one might write a rule for the 
other variants to catch them as being invalid so that followup on the traffic 
can be performed...

> Some of the options tend to get a bit confusing. hehe

hahaha... yep, at times :P

> On Tue, Feb 12, 2013 at 5:53 PM, waldo kitty<wkitty42 at ...14940...>  wrote:
>> On 2/12/2013 01:46, sandeep mlist wrote:
>>> Hi,
>>> I need to test if a content-length is zero. Here is the response
>>> "HTTP/1.1 200 OK
>>> Date: Wed, 23 Jan 2013 23:44:06 GMT
>>> Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
>>> Last-Modified: Wed, 23 Jan 2013 23:39:47 GMT
>>> ETag: "0-4d3fd35aaeb66"
>>> Accept-Ranges: bytes
>>> Content-Length: 0"
>>>
>>> I am checking for "content:"|0a|content-length:" and i need to test if length is
>>> zero using byte_test. Please help me.
>>
>> firstly, there is a difference between "Content-Length:" and
>> "content-length:"... ensure that detection of "Content-Length:" is accurate and
>> then move to the next step of checking the number...






More information about the Snort-users mailing list