[Oisf-users] 答复: http_server_body could not point to the beginning of the server response body

Davide Setti d.setti at certego.net
Mon Jan 28 07:31:21 UTC 2019 

Hi SuZhe,
Could you also provide an example pcap?

Regards,
Davide

Il giorno lun 28 gen 2019 alle ore 02:58 Su Zhe <suzhe_ffgg at outlook.com> ha
scritto:

> Hi
> is there any one know how to solve this problem?
>
> thank you!
>
> Regards
> SuZhe
> ------------------------------
> *发件人:* Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> 代表
> 苏 哲 <suzhe_ffgg at outlook.com>
> *发送时间:* 2019年1月23日 6:18
> *收件人:* oisf-users at lists.openinfosecfoundation.org
> *主题:* [Oisf-users] http_server_body could not point to the beginning of
> the server response body
>
> Hi,
> I found  when I wrote rules like:
> *content:"xyz"; nocase; http_server_body; offset:0;*
>
> but actually , "offset:0" is invalid, useless. cause, it didn't detect
> from beginning of the server response body.
>
> I want to know how should I do if I wanna detect from beginning of the
> server response body?
>
> thank
> SuZhe
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



-- 
<http://www.certego.net/>
Davide Setti
R&D and Incident Response Team, Certego
<http://www.linkedin.com/company/certego>  <http://twitter.com/Certego_IRT>
<http://github.com/certego>  <http://www.youtube.com/CERTEGOsrl>
<http://plus.google.com/117641917176532015312>
Use of the information within this document constitutes acceptance for use
in an "as is" condition. There are no warranties with regard to this
information; Certego has verified the data as thoroughly as possible. Any
use of this information lies within the user's responsibility. In no event
shall Certego be liable for any consequences or damages, including direct,
indirect, incidental, consequential, loss of business profits or special
damages, arising out of or in connection with the use or spread of this
information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190128/a9373fc7/attachment.html>

More information about the Oisf-users mailing list