[Snort-users] http_header not working

Mitesh Jadia mitesh.jadia at ...11827...
Mon Sep 29 09:40:55 EDT 2014


Hello,

As per my understanding...

Following signature
alert ip any any -> any any (content:"test"; http_header; msg:"Test
Signature"; sid:"9999998"; rev:1);
will not trigger because  content "test"  in your GET request will not be
the part of http_header field. http_uri and http_raw_uri are proper
keywords to match this content.


alert ip any any -> any any (content:"test"; http_uri; msg:"Test
Signature"; sid:"9999997"; rev:1);
Logically you should use  'alert tcp'  for this signature.  However with
alert ip this signature is working for me here.


On Fri, Sep 26, 2014 at 5:59 PM, NIDS TEAM <nidsteam at ...11827...> wrote:

> Hi
>
> I just encounter a problem with the http_* keywords in Snort rules. There
> is a GET request to www.anywebsite.com/test
>
> The following signature triggers:
> alert ip any any -> any any (content:"test"; msg:"Test Signature";
> sid:"9999999"; rev:1);
>
> The following signatures do not:
> alert ip any any -> any any (content:"test"; http_header; msg:"Test
> Signature"; sid:"9999998"; rev:1);
> alert ip any any -> any any (content:"test"; http_uri; msg:"Test
> Signature"; sid:"9999997"; rev:1);
>
> Does anyone have an idea why?
>
> I tested the behaviour with:
> - Security Onion - Snort 2.9.5.6
>   Default shipped configuration plus the above rules
> - Ubuntu Snort download off the shelf - Snort 2.9.6.0
> - Latest and greatest compiled - Snort 2.9.6.2
>
> There is always the same behaviour.
>
> Thanks already
> guido
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140929/5d6a73fe/attachment.html>


More information about the Snort-users mailing list