[Snort-users] uricontent questions

Brad W Rothwell ROTHBW at ...1871...
Wed Mar 2 11:56:24 EST 2005

All,  I recently installed snort 2.3.0.  My understanding is that I can
use uricontent to search for strings as they appear in the browser address
location bar.  For example, if the address location is http://foo.com
<http://foo.com/>  the following rule should alert.


alert tcp any any <> $HTTP_SERVERS any (msg: "foo found";
uricontent:"foo"; nocase;)


I have http_inspect set to the following

preprocessor http_inspect: global \

    iis_unicode_map unicode.map 1252


preprocessor http_inspect_server: server default \

    profile all ports { 80 8080 8180 } oversize_dir_length 500 flow_depth


The rule does not alert.  Am I missing something.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050302/f43c0dd0/attachment.html>

More information about the Snort-users mailing list