[Emerging-Sigs] New http inspect split - snort 2.8.3
Rodrigo Montoro(Sp0oKeR)
spooker at gmail.com
Wed Jul 9 16:53:47 EDT 2008
Hi all,
I think as most people here know, snort 2.8.3 will have new features for
new rules :
New Feature for HTTP Inspect to split requests into 5 components -
Method, URI, Header (non-cookie), Cookies, Body. Added HTTP server
specific configurations to normalize HTTP header and/or cookie buffers.
Provided content and PCRE modifiers to allow searches within one or
more of those individual buffers
Rules will be write in another way as:
3.5.9 http cookie
The http cookie keyword is a content modifier that restricts the search to
the extracted Cookie Header field of an HTTP client request. The rule listed
in Figure 3.19 constrains the search for the pattern "EFG" to the extracted
Cookie Header field of an HTTP client request. As this keyword is a modifier
to the previous 'content' keyword, there must be a content in the rule
before 'http cookie' is specified.The extracted Cookie Header field may be
NORMALIZED, per the configuration of HttpInspect (see 2.1.8).
Format
http_cookie;
Examples
alert tcp any any -> any 80 (content:"ABC"; content: "EFG"; http_cookie;)
.
3.5.10 http header
The http header keyword is a content modifier that restricts the search to
the extracted Header fields of an HTTP client request.The rule listed in
Figure 3.20 constrains the search for the pattern "EFG" to the extracted
Header fields of an HTTP client request. As this keyword is a modifier to the
previous 'content' keyword, there must be a content in the rule before 'http
header' is specified. The extracted Header fields may be NORMALIZED, per the
configuration of HttpInspect (see 2.1.8).
Format
http_header;
Examples
alert tcp any any -> any 80 (content:"ABC"; content: "EFG"; http_header;)
3.5.11 http method
The http method keyword is a content modifier that restricts the search to
the extracted Method from an HTTP client request. The rule listed in Figure
3.21 constrains the search for the pattern "GET" to the extracted Method
from an HTTP client request. As this keyword is a modifier to the previous
'content' keyword, there must be a content in the rule before 'http method'
is specified.
Format
http_method;
Examples
alert tcp any any -> any 80 (content:"ABC"; content: "GET"; http_method;)
More info at snort-2.8.3-9Beta manual .
Will ET try to update rules? Or just for new rules?
Regards,
--
===========================
Rodrigo Montoro (Sp0oKeR)
Security Analyst
SnortCP / RHCE / LPIC-I / MCSO
http://www.spooker.com.br
http://www.snort.org.br
http://www.linkedin.com/in/spooker
===========================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080709/90284e81/attachment-0001.html
More information about the Emerging-sigs
mailing list