[Oisf-devel] content, http_stat_code, and within

Anoop Saldanha anoopsaldanha at gmail.com
Tue Mar 25 16:18:10 UTC 2014


On Tue, Mar 25, 2014 at 9:16 PM, Victor Julien <victor at inliniac.net> wrote:
> On 03/24/2014 09:57 PM, Harley H wrote:
>> Hello,
>>  I'm writing a rule like this:
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "Testing
>> Rule"; content: "200"; http_stat_code; content: "Bad Stuff."; distance:
>> 150; within: 250; sid: 123123; rev: 1;)"
>>
>> I'm getting this error:
>> [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(104)] - within needs two
>> preceding content or uricontent options
>> 24/3/2014 -- 16:55:28 - <Error> - [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp
>> $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "Testing Rule";
>> content: "200"; http_stat_code; content: "Bad Stuff."; distance: 150;
>> within: 250; sid: 123123; rev: 1;)"
>>
>>
>> Is it possible to use distance/within with HTTP keywords?
>
> Yes, but not between the different keywords. Each http keywords
> indicates a different buffer that is inspected.
>

@Harley,

Although this behaviour is different in 2.0, i.e the above rule will
work, and would behave like offset and depth.

-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------



More information about the Oisf-devel mailing list