[Emerging-Sigs] Snort's http_inspect and http_header - New Gotcha

Joel Esler jesler at sourcefire.com
Thu Oct 14 18:53:28 EDT 2010


On Thu, Oct 14, 2010 at 6:30 PM, Eoin Miller <
eoin.miller at trojanedbinaries.com> wrote:

>  On 10/14/2010 10:21 PM, Joel Esler wrote:
>
>> I think http 1.1 stuff is uri. But I'm on my phone and can't confirm right
>> now.
>>
>> Should send this to snort-sigs.
>>
>> J
>>
>>  Joel,
>
> Just FYI, I sent tons of example rules, a pcap and write up to
> research at sourcefire.com before posting this.  Because I thought it was a
> bug and could have affected some of the rule rewrites going on in the ET
> group, I went ahead and made a post about it here as well.
>
> Also, I just checked and the following rules do not fire:
>
> alert tcp any any -> any any (msg:"Am I URI"; content:"HTTP/1.1"; http_uri;
> sid:1; rev:1;)
> alert tcp any any -> any any (msg:"Am I URI"; content:"HTTP"; http_uri;
> sid:1; rev:1;)
>
> I think these bytes are not in any of the http_inspect buffers?
>
>
Okay, excellent.  Thanks for that.

FWIW -- Bugs with Snort should go to bugs @ snort.org
Bugs with rules should go to research@ sourcefire.com

J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101014/6d6f85da/attachment.html


More information about the Emerging-sigs mailing list