[Oisf-users] Detect problem with http_header

Martin Holste mcholste at gmail.com
Fri Dec 23 20:04:20 UTC 2011


http_raw_header does not work.  Removing 0d 0a does not work.  In
fact, searching for just "attachment" in http_header does not work.
Stats show the stream is properly processed and all packets are
accounted for.  No one else is having issues with http_header in
responses?  I verified that the latest git code behaves like the code
we have in production.

On Fri, Dec 23, 2011 at 1:37 PM, Chris Wakelin
<c.d.wakelin at reading.ac.uk> wrote:
> On 23/12/2011 18:59, Martin Holste wrote:
>> I'm trying to get a signature to work which is looking for a specific
>> server response HTTP header, namely:
>> content:"|0d 0a|Content-Disposition: attachment|3b| filename=";
>> If I add "http_header" as a modifier, it doesn't hit.  Client stuff
>> seems to work fine.  I'm using the default libhtp config.
>> Suggestions?
>
> Does it work with http_raw_header?
>
> This might be a good case for the new filename:"" keyword in 1.2 beta,
> though I've not tried it yet and I'm not sure whether you could use a pcre.
>
> I'm having some success with the filestore: options though :)
>
> Best Wishes,
> Chris
>
> --
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
> IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
> Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users



More information about the Oisf-users mailing list