[Snort-users] uricontent questions

Matt Kettler mkettler at ...4108...
Wed Mar 2 13:44:32 EST 2005


At 02:54 PM 3/2/2005, Brad W Rothwell wrote:
>All,  I recently installed snort 2.3.0.  My understanding is that I can 
>use uricontent to search for strings as they appear in the browser address 
>location bar.  For example, if the address location is 
><http://foo.com/>http://foo.com the following rule should alert.
>
>alert tcp any any <> $HTTP_SERVERS any (msg: "foo found"; 
>uricontent:"foo"; nocase;)
>
>I have http_inspect set to the following
>preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252
>
>preprocessor http_inspect_server: server default \
>     profile all ports { 80 8080 8180 } oversize_dir_length 500 flow_depth 0
>
>The rule does not alert.  Am I missing something.


what is HTTP_SERVERS set to? The above rule will only alert if the server 
for foo.com is actualy a part of that net range.







More information about the Snort-users mailing list