[Snort-sigs] Trouble with HTTP status message rule

Research research at ...4016...
Thu Mar 12 17:57:21 EDT 2015


I am currently writing a rather basic rule to track 404 resource not found instances in Snort on a web server.  While I am aware that the logs for the web server process themselves track this, I’d like to generate a Snort rule that does the same for some testing.

Currently my rule is:

	alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \
        	(msg: "Web resource not found"; flow:established,to_server; content:"404"; http_stat_code; priority:4; sid:2000110; rev:001;)

I have used the http_stat_code modifier for the content, but when I attempt to locate a non-existent resource:


…the rule does not fire.

I was wondering what I am missing.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150312/3962cde0/attachment.html>

More information about the Snort-sigs mailing list