[Snort-users] Writing rules

Matt Kettler mkettler at ...4108...
Mon Jun 2 13:27:10 EDT 2003

At 10:14 AM 6/2/2003 +0200, Patrice.Arnal at ...4604... wrote:
>Using Snort 1.6 to 1.9 , the following rules triggered fine :
>alert tcp any any -> any 80 (msg:"INFO WEB-MISC Domino da50.nsf
>access";flags: A+;content:"/da50.nsf";)
>alert tcp any any -> any 80 (msg:"WEB-MISC Lotus Notes da50.nsf access";
>flow:to_server,established; uricontent:"/da50.nsf";
>classtype:web-application-attack; sid:2065; rev:1;)
>Since Snort2.0 they no more trigger

The first rule works flawlessly for me. Are you sure your test is being 
done properly?

I added your rule to my local.rules, restarted snort and loaded 
http://www.google.com/da50.nsf up in mozilla. It triggered this (several 
fields are gratuitously censored, but aren't particularly relevant):

[**] [1:0:0] INFO WEB-MISC Domino da50.nsf access [**]
[Priority: 0]
06/02-xx:xx:xx.xxxx 10.xxx.xxx.xxx:xxxx ->
TCP TTL:xx TOS:0x0 ID:XXXXX IpLen:20 DgmLen:569 DF
***AP*** Seq: 0xXXXXXXXX  Ack: 0xXXXXXXXX  Win: 0xXXXX  TcpLen: 20

More information about the Snort-users mailing list