[Oisf-users] Detect problem with http_header

[rmkml]

Hi,
I have same pb when using http_header on http reply.
Merry Christmas.
Regards
Rmkml


On Fri, 23 Dec 2011, Martin Holste wrote:

> http_raw_header does not work.  Removing 0d 0a does not work.  In
> fact, searching for just "attachment" in http_header does not work.
> Stats show the stream is properly processed and all packets are
> accounted for.  No one else is having issues with http_header in
> responses?  I verified that the latest git code behaves like the code
> we have in production.
>
> On Fri, Dec 23, 2011 at 1:37 PM, Chris Wakelin
> <c.d.wakelin at reading.ac.uk> wrote:
>> On 23/12/2011 18:59, Martin Holste wrote:
>>> I'm trying to get a signature to work which is looking for a specific
>>> server response HTTP header, namely:
>>> content:"|0d 0a|Content-Disposition: attachment|3b| filename=";
>>> If I add "http_header" as a modifier, it doesn't hit.  Client stuff
>>> seems to work fine.  I'm using the default libhtp config.
>>> Suggestions?
>>
>> Does it work with http_raw_header?
>>
>> This might be a good case for the new filename:"" keyword in 1.2 beta,
>> though I've not tried it yet and I'm not sure whether you could use a pcre.
>>
>> I'm having some success with the filestore: options though :)
>>
>> Best Wishes,
>> Chris
>>
>> --
>> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
>> Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
>> IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
>> Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>