[Emerging-Sigs] Snort's http_inspect and http_header - New Gotcha

Eoin Miller eoin.miller at trojanedbinaries.com
Thu Oct 14 18:30:54 EDT 2010

  On 10/14/2010 10:21 PM, Joel Esler wrote:
> I think http 1.1 stuff is uri. But I'm on my phone and can't confirm right now.
> Should send this to snort-sigs.
> J

Just FYI, I sent tons of example rules, a pcap and write up to 
research at sourcefire.com before posting this.  Because I thought it was a 
bug and could have affected some of the rule rewrites going on in the ET 
group, I went ahead and made a post about it here as well.

Also, I just checked and the following rules do not fire:

alert tcp any any -> any any (msg:"Am I URI"; content:"HTTP/1.1"; 
http_uri; sid:1; rev:1;)
alert tcp any any -> any any (msg:"Am I URI"; content:"HTTP"; http_uri; 
sid:1; rev:1;)

I think these bytes are not in any of the http_inspect buffers?

-- Eoin

More information about the Emerging-sigs mailing list