[Snort-users] How to detect http response body

Y M snort at ...15979...
Wed Nov 2 23:38:20 EDT 2016

Whoops, I misread your original post. Yeah, client request body won't work in this case. In this case without a capture it would be difficult to tell what's going.


On Thu, Nov 3, 2016 at 4:28 AM +0300, "Maxim" <hittlle at ...7427...<mailto:hittlle at ...7427...>> wrote:

It's response body, not request body


在 2016-11-02 20:04:45,"Y M" <snort at ...15979...> 写道:
Have you tried using the content modifier "http_client_body"? Also, If the string constantly appears at fixed offset, you can further optimize with content modifiers "offset" and "depth". These are all part of the documentation.



On Wed, Nov 2, 2016 at 2:14 PM +0300, "Maxim" <hittlle at ...7427...<mailto:hittlle at ...7427...>> wrote:

Hi all,
We came across a weird scenario. We used the following rule to detect http response body
  alert tcp any any -> $HOME_NET any ( sid: 10000003; file_data; content:"ASED"; nocase; rev:1; classtype: misc-activity;msg:"cve-test";)
And we do see such a string in the response body, but snort did not trigger any alerts. Are we missing anything? Many thanks

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161103/e0b5da15/attachment.html>

More information about the Snort-users mailing list