[Oisf-users] Detect problem with http_header

Chris Wakelin c.d.wakelin at reading.ac.uk
Fri Dec 23 19:37:43 UTC 2011

On 23/12/2011 18:59, Martin Holste wrote:
> I'm trying to get a signature to work which is looking for a specific
> server response HTTP header, namely:
> content:"|0d 0a|Content-Disposition: attachment|3b| filename=";
> If I add "http_header" as a modifier, it doesn't hit.  Client stuff
> seems to work fine.  I'm using the default libhtp config.
> Suggestions?

Does it work with http_raw_header?

This might be a good case for the new filename:"" keyword in 1.2 beta, 
though I've not tried it yet and I'm not sure whether you could use a pcre.

I'm having some success with the filestore: options though :)

Best Wishes,

Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094

More information about the Oisf-users mailing list