Hi,<br>It does fire with rc1 and current git.<br><br>I used your rule but changed the content to "cnn" - since i was loading the <a href="http://cnn.com">cnn.com</a> page.<br>It works with both HTTP and TCP.<br>Now, the only thing that is not 100% reproduced with my test is the exact content of your rule - content:"X-Powered-By";.<br>
If you have a pcap to share would be best, if it is alright with you of course, it can be shared privately as well.<br><br>alert tcp any any -> any any (msg:"http header check"; flow:to_client,established; content:"cnn"; http_header; classtype:attempted-user; sid:9313701; rev:1; )<br>
<br>#this below is the orig rule<br># alert tcp any any -> any any (msg:"http reply found"; flow:to_client,established; content:"X-Powered-By"; http_header; classtype:attempted-user; sid:9313701; rev:1; )<br>
<br>01/12/2012-08:43:40.343448 [**] [1:9313701:1] http header check [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} <a href="http://66.235.142.14:80">66.235.142.14:80</a> -> <a href="http://192.168.137.150:48216">192.168.137.150:48216</a><br>
01/12/2012-08:43:41.129280 [**] [1:9313701:1] http header check [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} <a href="http://69.171.228.39:80">69.171.228.39:80</a> -> <a href="http://192.168.137.150:48056">192.168.137.150:48056</a><br>
01/12/2012-08:43:41.129471 [**] [1:9313701:1] http header check [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} <a href="http://69.171.228.39:80">69.171.228.39:80</a> -> <a href="http://192.168.137.150:48057">192.168.137.150:48057</a><br>
<br>Thanks<br><br><div class="gmail_quote">On Thu, Jan 12, 2012 at 12:27 AM, rmkml <span dir="ltr"><<a href="mailto:rmkml@yahoo.fr" target="_blank">rmkml@yahoo.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Hi Victor and all OISF team,<br>
Happy New Year again and Congratulations for this new release!<br>
<br>
Excuse me, but when Im test content with http_header on http reply network traffic: suricata v12rc1 not fire... (without http_header: suricata fire)<br>
<br>
My very simply testing rules:<br>
alert tcp any any -> any any (msg:"http reply found"; flow:to_client,established; content:"X-Powered-By"; http_header; classtype:attempted-user; sid:9313701; rev:1; )<br>
<br>
Anyone confirm please?<br>
Regards<br>
<span><font color="#888888">Rmkml<br>
</font></span><div><div><br>
<br>
On Wed, 11 Jan 2012, Victor Julien wrote:<br>
<br>
> Suricata 1.2rc1 Available!<br>
><br>
> The OISF development team is proud to announce Suricata 1.2rc1, the<br>
> first (and hopefully only) release candidate for Suricata 1.2. It brings<br>
> performance increases, file inspection and extraction improvements and<br>
> much more!<br>
><br>
> Get the new release here:<br>
> <a href="http://www.openinfosecfoundation.org/download/suricata-1.2rc1.tar.gz" target="_blank">http://www.openinfosecfoundation.org/download/suricata-1.2rc1.tar.gz</a><br>
><br>
> The new release comes with a number of important improvements and fixes.<br>
><br>
> New features<br>
><br>
> - app-layer-events keyword: similar to the decoder-events and<br>
> stream-events, this will allow matching on HTTP and SMTP events<br>
> - auto detection of checksum offloading per interface (#311)<br>
> - urilen options to match on raw or normalised URI (#341)<br>
> - flow keyword option "only_stream" and "no_stream"<br>
> - unixsock output options for all outputs except unified2 (PoC python<br>
> script in the qa/ dir) (#250)<br>
><br>
> Improvements<br>
><br>
> - in IPS mode, reject rules now also drop (#399)<br>
> - http_header now also inspects response headers (#389)<br>
> - "worker" runmodes for NFQ and IPFW<br>
> - performance improvement for "ac" pattern matcher<br>
> - allow empty/non-initialized flowints to be incremented<br>
><br>
> Under the hood<br>
><br>
> - PCRE-JIT is now enabled by default if available (#356)<br>
> - many file inspection and extraction improvements<br>
> - flowbits and flowints are now modified in a post-match action list<br>
> - general performance improvements<br>
><br>
> Notable Fixes & Changes<br>
><br>
> - fixed parsing really high sid numbers >2 Billion (#393)<br>
> - fixed ICMPv6 not matching in IP-only sigs (#363)<br>
><br>
> Known issues & missing features<br>
><br>
> This is a "release candidate"-quality release so the stability should be<br>
> good although unexpected corner cases might happen. If you encounter<br>
> one, please let us know!<br>
><br>
> As always, we are doing our best to make you aware of continuing<br>
> development and items within the engine that are not yet complete or<br>
> optimal. With this in mind, please notice the list we have included of<br>
> known items we are working on.<br>
><br>
> See <a href="http://redmine.openinfosecfoundation.org/projects/suricata/issues" target="_blank">http://redmine.openinfosecfoundation.org/projects/suricata/issues</a><br>
> for an up to date list and to report new issues. See<br>
> <a href="http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues" target="_blank">http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues</a><br>
> for a discussion and time line for the major issues.<br>
><br>
><br>
> --<br>
> ---------------------------------------------<br>
> Victor Julien<br>
> <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
> PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
> ---------------------------------------------<br>
><br>
> _______________________________________________<br>
> Oisf-devel mailing list<br>
> <a href="mailto:Oisf-devel@openinfosecfoundation.org" target="_blank">Oisf-devel@openinfosecfoundation.org</a><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
><br>
_______________________________________________<br>
Oisf-devel mailing list<br>
<a href="mailto:Oisf-devel@openinfosecfoundation.org" target="_blank">Oisf-devel@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Peter Manev<br>