[Snort-users] writing rule with uricontent keyword

Edin Dizdarevic Edin.Dizdarevic at ...7509...
Mon Feb 28 13:22:48 EST 2005


Matt Kettler schrieb:
> At 02:39 PM 2/28/2005, Jiju Menon wrote:
> 
...

> At casual glance, it looks OK...
> 
> As a sanity check, can you try a rule using "any any -> any 80" instead 
> of HOME_NET and EXTERNAL_NET?
> 
> You also might need http_inspect enabled for the uricontent keyword to 
> work.

As a matter of fact you _must_ have it enabled for uricontent to work.
(...painfully experienced a few weeks ago... :( )

Best regards,
Edin


-- 
Edin Dizdarevic





More information about the Snort-users mailing list