[Snort-users] Need help with byte_test

Joel Esler jesler at ...1935...
Tue Feb 12 19:15:22 EST 2013


Write a rule for "content-length" and deploy it, you'd be surprised.


On Feb 12, 2013, at 2:20 PM, waldo kitty <wkitty42 at ...14940...> wrote:

> On 2/12/2013 13:50, Jeremy Hoel wrote:
>> I believe you could add a 'no-case' so that it checked content-length
>> and Content-Length, correct?
> 
> sure one could do that but why? i'm not aware of any other format than 
> "Content-Length:" being proper and allowed for... one might write a rule for the 
> other variants to catch them as being invalid so that followup on the traffic 
> can be performed...
> 
>> Some of the options tend to get a bit confusing. hehe
> 
> hahaha... yep, at times :P
> 
>> On Tue, Feb 12, 2013 at 5:53 PM, waldo kitty<wkitty42 at ...14940...>  wrote:
>>> On 2/12/2013 01:46, sandeep mlist wrote:
>>>> Hi,
>>>> I need to test if a content-length is zero. Here is the response
>>>> "HTTP/1.1 200 OK
>>>> Date: Wed, 23 Jan 2013 23:44:06 GMT
>>>> Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
>>>> Last-Modified: Wed, 23 Jan 2013 23:39:47 GMT
>>>> ETag: "0-4d3fd35aaeb66"
>>>> Accept-Ranges: bytes
>>>> Content-Length: 0"
>>>> 
>>>> I am checking for "content:"|0a|content-length:" and i need to test if length is
>>>> zero using byte_test. Please help me.
>>> 
>>> firstly, there is a difference between "Content-Length:" and
>>> "content-length:"... ensure that detection of "Content-Length:" is accurate and
>>> then move to the next step of checking the number...
> 
> 
> 
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013 
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list