[Snort-users] Rule not working

simonkc at ...11578... simonkc at ...11578...
Tue May 11 06:24:04 EDT 2004


I am trying to write the below rule that will detect visits to "rediff.com"
site. But Snort does not seem to detect it.
Anything wrong with what i am doing??

btw. the snort.conf file does have the below line
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace

alert tcp any any -> any any (msg:"Somebody visiting Rediff.com site";
uriconten
t:"rediff.com";
reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-ex
ploits.shtml; classtype:attempted-dos; sid:999999; rev:2;)

Ignore the "reference", the classtype, sid and rev in the above rule.


Thanks and Regards   

Simon





More information about the Snort-users mailing list