[Oisf-devel] content, http_stat_code, and within
Victor Julien
victor at inliniac.net
Tue Mar 25 15:46:58 UTC 2014
On 03/24/2014 09:57 PM, Harley H wrote:
> Hello,
> I'm writing a rule like this:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "Testing
> Rule"; content: "200"; http_stat_code; content: "Bad Stuff."; distance:
> 150; within: 250; sid: 123123; rev: 1;)"
>
> I'm getting this error:
> [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(104)] - within needs two
> preceding content or uricontent options
> 24/3/2014 -- 16:55:28 - <Error> - [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp
> $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "Testing Rule";
> content: "200"; http_stat_code; content: "Bad Stuff."; distance: 150;
> within: 250; sid: 123123; rev: 1;)"
>
>
> Is it possible to use distance/within with HTTP keywords?
Yes, but not between the different keywords. Each http keywords
indicates a different buffer that is inspected.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list