[Oisf-devel] content, http_stat_code, and within
Harley H
bobb.harley at gmail.com
Mon Mar 24 20:57:13 UTC 2014
Hello,
I'm writing a rule like this:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "Testing Rule";
content: "200"; http_stat_code; content: "Bad Stuff."; distance: 150;
within: 250; sid: 123123; rev: 1;)"
I'm getting this error:
[ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(104)] - within needs two
preceding content or uricontent options
24/3/2014 -- 16:55:28 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET
any (msg: "Testing Rule"; content: "200"; http_stat_code; content: "Bad
Stuff."; distance: 150; within: 250; sid: 123123; rev: 1;)"
Is it possible to use distance/within with HTTP keywords?
-Harley
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20140324/435f6b4e/attachment.html>
More information about the Oisf-devel
mailing list