[Oisf-devel] content, http_stat_code, and within
rmkml
rmkml at yahoo.fr
Mon Mar 24 21:10:10 UTC 2014
Hi Harley,
Thx for sharing,
Maybe first add flow:from_server,established;
maybe add file_data; after http_stat_code;
Regards
@Rmkml
On Mon, 24 Mar 2014, Harley H wrote:
> Hello, I'm writing a rule like this:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "Testing Rule"; content: "200"; http_stat_code; content: "Bad Stuff."; distance: 150; within: 250; sid: 123123; rev: 1;)"
>
> I'm getting this error:
> [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(104)] - within needs two preceding content or uricontent options
> 24/3/2014 -- 16:55:28 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "Testing Rule"; content: "200"; http_stat_code; content:
> "Bad Stuff."; distance: 150; within: 250; sid: 123123; rev: 1;)"
>
>
> Is it possible to use distance/within with HTTP keywords?
>
> -Harley
>
>
More information about the Oisf-devel
mailing list