mikem at ...1951...
Fri Jan 15 15:37:43 EST 2010
I'm trying to write some rules that will alert whenever a specific http
host is requested by a client. For example:
alert tcp any any -> any $HTTP_PORTS (msg: "HTTP traffic to
www.microsoft.com"; content: "www.microsoft.com"; http_header; nocase;
However I cannot get this rule to alert. What am I doing wrong?
I did notice this in the release notes for 2.8.6 Beta:
[*] New Additions
* HTTP Inspect now splits requests into 5 components -
Method, URI, Header (non-cookie), Cookies, Body.
Content and PCRE rule options can now search one or more of these
I'm currently using 18.104.22.168; do I need to upgrade to 2.8.6 beta?
Any help will be most appreciated.
More information about the Snort-sigs