[Snort-sigs] testing snort signature with uri content

MD B Zaman L mdbzaman.l at ...2420...
Wed Feb 13 05:49:30 EST 2008

Greetings All,

         I am a new user of snort . I am finding some difficulty in using
the snort signatures with uri content.

        I have created my own snort signature as follows to test for uri

       alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80  (msg:"uri content
testing successful "; flow:to_server,established; uricontent:"/server-info";

       sid:1000007; )

     After that I tried to access the webpage
http://<http_server>/server-info  and verified with ethereal whether the
content /server-info  is generated or not.
     Ethereal was showing that the content was generated.

     But no alert was fired for the  above written signature .

     Please clarify me how to test signatures with uri content.

     Snort is working fine as I have checked with other signatures with no

       With Thanks in Advance

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20080213/b6032e16/attachment.html>

More information about the Snort-sigs mailing list