[Snort-sigs] Question about a Snort rule

Will Metcalf william.metcalf at ...2420...
Fri Feb 25 10:34:45 EST 2011


alert udp

should be

alert tcp

your flags are wrong.

instead of flags:S;

use

flow:to_server,established;

Regards,

Will

On Fri, Feb 25, 2011 at 9:21 AM, Miso Patel <miso.patel at ...2420...> wrote:
> My engineers are having trouble with a custom rule:
>
> alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"iPad related HTTP
> request"; content:"iPad"; http_uri; nocase; flags:S;
> classtype:bad-unknown; reference:url,www.apple.com/ipad/;
> sid:18954545; rev:1;)
>
> Any help would be appreciated.  The rule does not seem to be alerting
> for some reason and I think this could be a bug with Snort.
>
> Thanks.
>
> Miso, CISO
>
> ------------------------------------------------------------------------------
> Free Software Download: Index, Search & Analyze Logs and other IT data in
> Real-Time with Splunk. Collect, index and harness all the fast moving IT data
> generated by your applications, servers and devices whether physical, virtual
> or in the cloud. Deliver compliance at lower cost and gain new business
> insights. http://p.sf.net/sfu/splunk-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>




More information about the Snort-sigs mailing list