[Oisf-users] Detect problem with http_header
rmkml
rmkml at yahoo.fr
Fri Dec 23 21:19:19 UTC 2011
with suricata v1.1.1.
Regards
Rmkml
On Fri, 23 Dec 2011, rmkml wrote:
> Hi,
> I have same pb when using http_header on http reply.
> Merry Christmas.
> Regards
> Rmkml
>
>
> On Fri, 23 Dec 2011, Martin Holste wrote:
>
>> http_raw_header does not work. Removing 0d 0a does not work. In
>> fact, searching for just "attachment" in http_header does not work.
>> Stats show the stream is properly processed and all packets are
>> accounted for. No one else is having issues with http_header in
>> responses? I verified that the latest git code behaves like the code
>> we have in production.
>>
>> On Fri, Dec 23, 2011 at 1:37 PM, Chris Wakelin
>> <c.d.wakelin at reading.ac.uk> wrote:
>>> On 23/12/2011 18:59, Martin Holste wrote:
>>>> I'm trying to get a signature to work which is looking for a specific
>>>> server response HTTP header, namely:
>>>> content:"|0d 0a|Content-Disposition: attachment|3b| filename=";
>>>> If I add "http_header" as a modifier, it doesn't hit. Client stuff
>>>> seems to work fine. I'm using the default libhtp config.
>>>> Suggestions?
>>>
>>> Does it work with http_raw_header?
>>>
>>> This might be a good case for the new filename:"" keyword in 1.2 beta,
>>> though I've not tried it yet and I'm not sure whether you could use a
>>> pcre.
>>>
>>> I'm having some success with the filestore: options though :)
>>>
>>> Best Wishes,
>>> Chris
>>>
>>> --
>>> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
>>> Christopher Wakelin, c.d.wakelin at reading.ac.uk
>>> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
>>> Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
More information about the Oisf-users
mailing list