[Snort-sigs] testing snort signature with uri content

MD B Zaman L mdbzaman.l at ...2420...
Wed Feb 13 05:49:30 EST 2008


Greetings All,

         I am a new user of snort . I am finding some difficulty in using
the snort signatures with uri content.

        I have created my own snort signature as follows to test for uri
content.

       alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80  (msg:"uri content
testing successful "; flow:to_server,established; uricontent:"/server-info";

       sid:1000007; )


     After that I tried to access the webpage
http://<http_server>/server-info  and verified with ethereal whether the
content /server-info  is generated or not.
     Ethereal was showing that the content was generated.

     But no alert was fired for the  above written signature .

     Please clarify me how to test signatures with uri content.

     Snort is working fine as I have checked with other signatures with no
uricontent.

       With Thanks in Advance

    regards
    zaman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20080213/b6032e16/attachment.html>


More information about the Snort-sigs mailing list