[Snort-sigs] testing snort signature with uri content

Joel Esler joel.esler at ...435...
Wed Feb 13 09:34:34 EST 2008


I would first look at your directional statements.  How do you have  
$HTTP_SERVERS configured?  It is pointing towards $HOME_NET?  Is your  
$HOME_NET filled in?

How about $EXTERNAL_NET?  How is that variable configured?

J

On Feb 13, 2008, at 5:49 AM, MD B Zaman L wrote:

> Greetings All,
>
>          I am a new user of snort . I am finding some difficulty in  
> using the snort signatures with uri content.
>
>         I have created my own snort signature as follows to test for  
> uri content.
>
>        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80  (msg:"uri  
> content testing successful "; flow:to_server,established;  
> uricontent:"/server-info";
>        sid:1000007; )
>
>
>      After that I tried to access the webpage  http://<http_server>/ 
> server-info  and verified with ethereal whether the content /server- 
> info  is generated or not.
>      Ethereal was showing that the content was generated.
>
>      But no alert was fired for the  above written signature .
>
>      Please clarify me how to test signatures with uri content.
>
>      Snort is working fine as I have checked with other signatures  
> with no uricontent.
>
>        With Thanks in Advance
>
>     regards
>     zaman
>
>
>
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs


--
Joel Esler  joel.esler at ...435...




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20080213/cda98e58/attachment.html>


More information about the Snort-sigs mailing list