[Snort-users] uricontent error

Joel Esler joel.esler at ...1935...
Wed Sep 14 22:13:01 EDT 2005


Uricontent by default will only read 300 bytes into a packet.  (you  
can configure this, but I recommend not)

Since uricontent is really only good at the beginning of a session,  
it's really handy for a initial GET request.

My recommendation is that you use content, not uricontent.

J


On Sep 15, 2005, at 1:07 AM, Dario Alonso wrote:

> Hi.
> I'm trying a simple snort's rule with uricontent, and it doesn't  
> capture nothing.
>
> My config file is this:
> ------------------------------
> var HOME_NET 172.26.0.0/24
> var EXTERNAL_NET any
> var HTTP_SERVERS 172.26.0.4
> var RULE_PATH c:\snort\rules
> var HTTP_PORTS 80
> #preprocessor frag2
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy first
> detect_anomalies
> preprocessor stream4: disable_evasion_alerts
> preprocessor stream4_reassemble
>
> preprocessor http_inspect: global iis_unicode_map
> unicode.map 1252
> preprocessor http_inspect_server: server default
> profile all ports { 80 8080 8180 } oversize_dir_length
> 500
>
> include $RULE_PATH/rule1.txt
> ------------------------------
>
> An my rule1.txt is this:
> -----------------------------
> alert tcp any any <> any any (uricontent:"search";)
> alert tcp any any -> any any (uricontent:"exec"; )
> -----------------------------
>
> I run snort in windows
> snort -de -l c:\Snort\log -c c:\Snort\etc\snort.conf
> And search the words exec or search in google, and... nothing at all.
>
> I was looking in the list's files, and I think everything it's ok
>
> Thanks
>
>
> Correo Yahoo!
> Comprueba qué es nuevo, aquí
> http://correo.yahoo.es

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050914/c059141c/attachment.html>


More information about the Snort-users mailing list