[Snort-users] uricontent error

Dario Alonso listasnort at ...11031...
Wed Sep 14 22:08:21 EDT 2005


Hi.
I'm trying a simple snort's rule with uricontent, and it doesn't capture nothing.

My config file is this:
------------------------------
var HOME_NET 172.26.0.0/24
var EXTERNAL_NET any
var HTTP_SERVERS 172.26.0.4
var RULE_PATH c:\snort\rules
var HTTP_PORTS 80
#preprocessor frag2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first
detect_anomalies
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble

preprocessor http_inspect: global iis_unicode_map
unicode.map 1252 
preprocessor http_inspect_server: server default
profile all ports { 80 8080 8180 } oversize_dir_length
500

include $RULE_PATH/rule1.txt
------------------------------

An my rule1.txt is this:
-----------------------------
alert tcp any any <> any any (uricontent:"search";)
alert tcp any any -> any any (uricontent:"exec"; )
-----------------------------

I run snort in windows
snort -de -l c:\Snort\log -c c:\Snort\etc\snort.conf

And search the words exec or search in google, and... nothing at all.

I was looking in the list's files, and I think everything it's ok

Thanks

		
---------------------------------

Correo Yahoo!
Comprueba qué es nuevo, aquí
http://correo.yahoo.es
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050914/6698e0ed/attachment.html>


More information about the Snort-users mailing list