[Oisf-users] Detect problem with http_header

Anoop Saldanha poonaatsoc at gmail.com
Thu Dec 29 16:00:02 UTC 2011


On Sat, Dec 24, 2011 at 9:32 PM, Martin Holste <mcholste at gmail.com> wrote:
> Ok, opened 389.  Happy holidays to all as well!
>
> On Sat, Dec 24, 2011 at 8:31 AM, Victor Julien <victor at inliniac.net> wrote:
>> On 12/23/2011 07:59 PM, Martin Holste wrote:
>>> I'm trying to get a signature to work which is looking for a specific
>>> server response HTTP header, namely:
>>> content:"|0d 0a|Content-Disposition: attachment|3b| filename=";
>>> If I add "http_header" as a modifier, it doesn't hit.  Client stuff
>>> seems to work fine.  I'm using the default libhtp config.
>>> Suggestions?
>>
>> A quick look at code shows what the problem is: in our implementation
>> http_header currently only inspects the request headers. Please open a
>> feature request!
>>
>> Happy holidays everyone!
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Wondering if it makes sense to introduce explicit keyword based
option for response header inspection,

http_header<,type>;
http_raw_header<,type>;

where type - request;
                   - response;

if no type's specified we default to just request or both maybe.

--OR--

we inspect both request and response headers always.

-- 
Anoop Saldanha



More information about the Oisf-users mailing list