[Snort-sigs] testing snort signature with uri content
amahajan at ...3340...
Wed Feb 13 05:44:28 EST 2008
-----BEGIN PGP SIGNED MESSAGE-----
MD B Zaman L wrote:
| alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"uri
| content testing successful "; flow:to_server,established;
| sid:1000007; )
You might want to change $HTTP_SERVERS to $HOME_NET and 80 to $HTTP_SERVERS
Its always a good idea to breakup your test in two parts.
Part one is the actual sig for pattern matching. In part one you can give any
any -> any any
After you have confirmed the sig getting you alerts you can go to part two
Part two is where you can using wireshark/ethereal see what is the source and
destination and if your variables in the conf file are defined according to that.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Snort-sigs