Snort mailing list archives

sid:2278 will never fire with 2.8.6

From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 12 May 2010 22:38:36 -0500

The modifications you have made to sid:2278 in the 2.8.6 rules will
cause this sig to never fire.  You can't use a http_header content
modifier in conjunction with a byte_test,relative match in 2.8.6.
Actually it looks like the bug still exists where you can't use
byte_test in conjunction with the http_header keyword in the same rule
even if it isn't relative.  For example if you modify the sig to use
use an absolute offset of 73 (using the attached pcap)  rather than a
relative offset and just have the http_header match present in the
same rule the sig won't fire.  If you simply remove the http_header
modifer in either case the sig fires with a relative or absolute
offset.

Regards,

Will

Attachment: ncontentlen.pcap
Description:

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

sid:2278 will never fire with 2.8.6 Will Metcalf (May 12)