[Snort-users] Content rule problem

Matt Kettler mkettler at ...4108...
Fri Apr 16 13:17:11 EDT 2004


At 01:55 PM 4/16/2004, Antonio Eugenio Villar wrote:
>Seems weird but the rule below is not working on Snort
>2.1.2. I appreciate some help.
>
>alert tcp any any -> any any (msg: "XX"; content:
>".ida?"; )
>
>I also tried with uricontent and did not work.
>I am reading a file with -r options with packet using
>GET /default.ida?

Have you tried using the one that's in web-iis.rules? (sid 1243)

Seems silly to re-write a rule to do the same thing as one of the standard 
rules.





More information about the Snort-users mailing list