[Snort-sigs] testing snort signature with uri content

Akash Mahajan amahajan at ...3340...
Wed Feb 13 05:44:28 EST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MD B Zaman L wrote:
|
|        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80  (msg:"uri
| content testing successful "; flow:to_server,established;
| uricontent:"/server-info";
|        sid:1000007; )
|

You might want to change $HTTP_SERVERS to $HOME_NET and 80 to $HTTP_SERVERS

Its always a good idea to breakup your test in two parts.

Part one is the actual sig for pattern matching. In part one you can give any
any -> any any

After you have confirmed the sig getting you alerts you can go to part two

Part two is where you can using wireshark/ethereal see what is the source and
destination and if your variables in the conf file are defined according to that.

regards
Akash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHssoLYnm8H2VnLaMRAq6KAKCU6JrQyuwXBq09SenOfeB/vQiKDQCdHPdN
OrvaRCLcy0rcvZizO5bNADE=
=qdWP
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list