[Snort-sigs] Question about a Snort rule
korodev at ...2420...
Fri Feb 25 10:35:32 EST 2011
> alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"iPad related HTTP
> request"; content:"iPad"; http_uri; nocase; flags:S;
> classtype:bad-unknown; reference:url,www.apple.com/ipad/;
> sid:18954545; rev:1;)
This rule is way off. What are you trying to do here? If you're trying
to alert on iPad's browsing the web on your network, then a much
better place to start would be looking at the user agent.
A few things to consider:
1) UDP is not used in regards to HTTP. So you should replace UDP with TCP.
2) You've limited the rule to only alert on matching SYN packets. I
won't mention that there are no SYN packets in UDP, but if it's likely
most of your intended content matches will not by in the initial syn
3) The http_uri flag limits your content match to the URL.
More information about the Snort-sigs