[Oisf-users] rule using http protocol not working
GORHAM JOHNSON, OZELINA
og1939 at att.com
Mon Feb 18 16:06:18 UTC 2019
Trying to create a signature using http protocol with keywords http_header and http_uri but the signature does not match the packet
alert http any any -> any any (msg:"Test http headers"; content:"Host|3A| www.test1.url.com"; http_header; content:"page2"; http_uri; fast_pattern; classtype:bad-unknown; rev:10; sid:9902;)
But if I use protocol tcp the signature matches
alert tcp any any -> any $HTTP_PORTS (msg:"Test REJECT page2"; content:"Host|3A| www.test1.url.com"; content:"page2"; fast_pattern; classtype:bad-unknown; rev:10; sid:2;)
Sample Packet
Raw packet data
Hypertext Transfer Protocol
GET /page2 HTTP/1.1\r\n
Host: www.test1.url.com\r\n
Connection: close\r\n
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\r\n
Accept: */*\r\n
Accept-Language: en-us\r\n
Accept-Encoding: gzip, deflate, compress\r\n
\r\n
[Full request URI: http://www.test1.url.com/page2]
[HTTP request 1/1]
Would someone explain why the signature using the http protocol does not work
Ena
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190218/2f773b66/attachment.html>
More information about the Oisf-users
mailing list