<div>I agree with Martin - it would be an advantage.... and a handy thingy as well.</div>
<div><br><br> </div>
<div class="gmail_quote">On Thu, Dec 29, 2011 at 12:16 PM, Martin Holste <span dir="ltr"><<a href="mailto:mcholste@gmail.com">mcholste@gmail.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">Are request headers completely unparsed at the moment with HTPlib? I<br>would think that the intensive work is already done anyway by HTPlib,<br>
regardless of pattern matching. I think that the keyword should work<br>the same way it does in Snort, as I see little advantage to verbosely<br>specifying the direction, since the stream direction already does<br>that.<br>
<br>One thing to consider that would be a major improvement over Snort<br>would be to actually parse the headers (again, I'm assuming that<br>HTPlib already does this) so you could specify a normalized header is<br>present, like this:<br>
content:"asdf"; http_user_agent;<br><br>That would be a HUGE win, and I don't think it would be nearly as much<br>work as you'd think, since HTPlib should be doing that parsing<br>already. The main work would be adding all the keywords in, but I<br>
think we can all agree that it would be worth it because so many<br>signatures rely on searching specific header values.<br>
<div class="HOEnZb">
<div class="h5"><br>On Thu, Dec 29, 2011 at 10:00 AM, Anoop Saldanha <<a href="mailto:poonaatsoc@gmail.com">poonaatsoc@gmail.com</a>> wrote:<br>> On Sat, Dec 24, 2011 at 9:32 PM, Martin Holste <<a href="mailto:mcholste@gmail.com">mcholste@gmail.com</a>> wrote:<br>
>> Ok, opened 389. Happy holidays to all as well!<br>>><br>>> On Sat, Dec 24, 2011 at 8:31 AM, Victor Julien <<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>> wrote:<br>>>> On 12/23/2011 07:59 PM, Martin Holste wrote:<br>
>>>> I'm trying to get a signature to work which is looking for a specific<br>>>>> server response HTTP header, namely:<br>>>>> content:"|0d 0a|Content-Disposition: attachment|3b| filename=";<br>
>>>> If I add "http_header" as a modifier, it doesn't hit. Client stuff<br>>>>> seems to work fine. I'm using the default libhtp config.<br>>>>> Suggestions?<br>>>><br>
>>> A quick look at code shows what the problem is: in our implementation<br>>>> http_header currently only inspects the request headers. Please open a<br>>>> feature request!<br>>>><br>
>>> Happy holidays everyone!<br>>>><br>>>> --<br>>>> ---------------------------------------------<br>>>> Victor Julien<br>>>> <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
>>> PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>>>> ---------------------------------------------<br>>>><br>>>> _______________________________________________<br>
>>> Oisf-users mailing list<br>>>> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>>>> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>> _______________________________________________<br>>> Oisf-users mailing list<br>>> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>>> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
><br>> Wondering if it makes sense to introduce explicit keyword based<br>> option for response header inspection,<br>><br>> http_header<,type>;<br>> http_raw_header<,type>;<br>><br>> where type - request;<br>
> - response;<br>><br>> if no type's specified we default to just request or both maybe.<br>><br>> --OR--<br>><br>> we inspect both request and response headers always.<br>><br>
> --<br>> Anoop Saldanha<br>_______________________________________________<br>Oisf-users mailing list<br><a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br><a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Peter Manev<br>