[Snort-sigs] Question about a Snort rule

Will Metcalf william.metcalf at ...2420...
Fri Feb 25 10:34:45 EST 2011

alert udp

should be

alert tcp

your flags are wrong.

instead of flags:S;





On Fri, Feb 25, 2011 at 9:21 AM, Miso Patel <miso.patel at ...2420...> wrote:
> My engineers are having trouble with a custom rule:
> alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"iPad related HTTP
> request"; content:"iPad"; http_uri; nocase; flags:S;
> classtype:bad-unknown; reference:url,www.apple.com/ipad/;
> sid:18954545; rev:1;)
> Any help would be appreciated.  The rule does not seem to be alerting
> for some reason and I think this could be a bug with Snort.
> Thanks.
> Miso, CISO
> ------------------------------------------------------------------------------
> Free Software Download: Index, Search & Analyze Logs and other IT data in
> Real-Time with Splunk. Collect, index and harness all the fast moving IT data
> generated by your applications, servers and devices whether physical, virtual
> or in the cloud. Deliver compliance at lower cost and gain new business
> insights. http://p.sf.net/sfu/splunk-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org

More information about the Snort-sigs mailing list