[Snort-users] Rule not working

simonkc at ...11578... simonkc at ...11578...
Tue May 11 06:24:04 EDT 2004

I am trying to write the below rule that will detect visits to "rediff.com"
site. But Snort does not seem to detect it.
Anything wrong with what i am doing??

btw. the snort.conf file does have the below line
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace

alert tcp any any -> any any (msg:"Somebody visiting Rediff.com site";
ploits.shtml; classtype:attempted-dos; sid:999999; rev:2;)

Ignore the "reference", the classtype, sid and rev in the above rule.

Thanks and Regards   


More information about the Snort-users mailing list