[Oisf-users] Detect problem with http_header
Chris Wakelin
c.d.wakelin at reading.ac.uk
Fri Dec 23 19:37:43 UTC 2011
On 23/12/2011 18:59, Martin Holste wrote:
> I'm trying to get a signature to work which is looking for a specific
> server response HTTP header, namely:
> content:"|0d 0a|Content-Disposition: attachment|3b| filename=";
> If I add "http_header" as a modifier, it doesn't hit. Client stuff
> seems to work fine. I'm using the default libhtp config.
> Suggestions?
Does it work with http_raw_header?
This might be a good case for the new filename:"" keyword in 1.2 beta,
though I've not tried it yet and I'm not sure whether you could use a pcre.
I'm having some success with the filestore: options though :)
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
More information about the Oisf-users
mailing list