[Snort-sigs] Trouble with HTTP status message rule
research at ...4016...
Thu Mar 12 17:57:21 EDT 2015
I am currently writing a rather basic rule to track 404 resource not found instances in Snort on a web server. While I am aware that the logs for the web server process themselves track this, I’d like to generate a Snort rule that does the same for some testing.
Currently my rule is:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS \
(msg: "Web resource not found"; flow:established,to_server; content:"404"; http_stat_code; priority:4; sid:2000110; rev:001;)
I have used the http_stat_code modifier for the content, but when I attempt to locate a non-existent resource:
…the rule does not fire.
I was wondering what I am missing.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs