[Snort-users] writing rule with uricontent keyword
bmc at ...950...
Tue Mar 1 11:08:35 EST 2005
On Mon, Feb 28, 2005 at 02:39:08PM -0500, Jiju Menon wrote:
> I tried to get an alert with a test rule using uricontent:
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"yahoo.com";
> The rule seems not to detect a connection made to yahoo.com. Can
> anyone help me to get this rule working?
While the URL http://www.yahoo.com/foo.html, your packet will look
something like this:
GET /foo.html HTTP/1.1\r\nHost: www.snort.org\r\n\r\n
You need to write your rule to look something like this:
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"yahoo.com";
content:"Host|3a|"; nocase; pcre:"/^Host:\x3a.*yahoo.com/mi";)
More information about the Snort-users