[Oisf-users] Detect problem with http_header

Peter Manev petermanev at gmail.com
Thu Dec 29 18:18:16 UTC 2011 

I agree with Martin - it would be an advantage.... and a handy thingy as
well.



On Thu, Dec 29, 2011 at 12:16 PM, Martin Holste <mcholste at gmail.com> wrote:

> Are request headers completely unparsed at the moment with HTPlib?  I
> would think that the intensive work is already done anyway by HTPlib,
> regardless of pattern matching.  I think that the keyword should work
> the same way it does in Snort, as I see little advantage to verbosely
> specifying the direction, since the stream direction already does
> that.
>
> One thing to consider that would be a major improvement over Snort
> would be to actually parse the headers (again, I'm assuming that
> HTPlib already does this) so you could specify a normalized header is
> present, like this:
> content:"asdf"; http_user_agent;
>
> That would be a HUGE win, and I don't think it would be nearly as much
> work as you'd think, since HTPlib should be doing that parsing
> already.  The main work would be adding all the keywords in, but I
> think we can all agree that it would be worth it because so many
> signatures rely on searching specific header values.
>
> On Thu, Dec 29, 2011 at 10:00 AM, Anoop Saldanha <poonaatsoc at gmail.com>
> wrote:
> > On Sat, Dec 24, 2011 at 9:32 PM, Martin Holste <mcholste at gmail.com>
> wrote:
> >> Ok, opened 389.  Happy holidays to all as well!
> >>
> >> On Sat, Dec 24, 2011 at 8:31 AM, Victor Julien <victor at inliniac.net>
> wrote:
> >>> On 12/23/2011 07:59 PM, Martin Holste wrote:
> >>>> I'm trying to get a signature to work which is looking for a specific
> >>>> server response HTTP header, namely:
> >>>> content:"|0d 0a|Content-Disposition: attachment|3b| filename=";
> >>>> If I add "http_header" as a modifier, it doesn't hit.  Client stuff
> >>>> seems to work fine.  I'm using the default libhtp config.
> >>>> Suggestions?
> >>>
> >>> A quick look at code shows what the problem is: in our implementation
> >>> http_header currently only inspects the request headers. Please open a
> >>> feature request!
> >>>
> >>> Happy holidays everyone!
> >>>
> >>> --
> >>> ---------------------------------------------
> >>> Victor Julien
> >>> http://www.inliniac.net/
> >>> PGP: http://www.inliniac.net/victorjulien.asc
> >>> ---------------------------------------------
> >>>
> >>> _______________________________________________
> >>> Oisf-users mailing list
> >>> Oisf-users at openinfosecfoundation.org
> >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> _______________________________________________
> >> Oisf-users mailing list
> >> Oisf-users at openinfosecfoundation.org
> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Wondering if it makes sense to introduce explicit keyword based
> > option for response header inspection,
> >
> > http_header<,type>;
> > http_raw_header<,type>;
> >
> > where type - request;
> >                   - response;
> >
> > if no type's specified we default to just request or both maybe.
> >
> > --OR--
> >
> > we inspect both request and response headers always.
> >
> > --
> > Anoop Saldanha
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



-- 
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20111229/b0fe10bd/attachment-0002.html>

More information about the Oisf-users mailing list