[Snort-users] writing rule with uricontent keyword

Brian bmc at ...950...
Tue Mar 1 11:08:35 EST 2005


On Mon, Feb 28, 2005 at 02:39:08PM -0500, Jiju Menon wrote:
> I tried to get an alert with a test rule using uricontent:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"yahoo.com";
> uricontent:"yahoo.com";nocase;)
> 
> The rule seems not to detect a connection made to yahoo.com. Can
> anyone help me to get this rule working?

While the URL http://www.yahoo.com/foo.html, your packet will look
something like this:

    GET /foo.html HTTP/1.1\r\nHost: www.snort.org\r\n\r\n

You need to write your rule to look something like this:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"yahoo.com"; 
    content:"Host|3a|"; nocase; pcre:"/^Host:\x3a.*yahoo.com/mi";)

Brian




More information about the Snort-users mailing list