[Snort-users] uricontent error

Russ Starr russ.starr at ...11827...
Wed Sep 14 22:34:00 EDT 2005


For Win32... 

Find what network interface you want to listen on by using:

snort -W

In my case the first two interfaces are 1394 adapters while the third
is my actual ethernet interface that I use for my network.

Refer to that interface by its number in your command line with the -i option.

snort -i 3

Hope that helps.  I ran it to this the first time running snort for win32.

-Russ


On 9/15/05, Dario Alonso <listasnort at ...11031...> wrote:
> Hi.
> I'm trying a simple snort's rule with uricontent, and it doesn't capture
> nothing. 
> 
> My config file is this:
> ------------------------------
> var HOME_NET 172.26.0.0/24
> var EXTERNAL_NET any
> var HTTP_SERVERS 172.26.0.4
> var RULE_PATH c:\snort\rules
> var HTTP_PORTS 80
> #preprocessor frag2
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy first
> detect_anomalies
> preprocessor stream4: disable_evasion_alerts
> preprocessor stream4_reassemble
> 
> preprocessor http_inspect: global iis_unicode_map
> unicode.map 1252 
> preprocessor http_inspect_server: server default
> profile all ports { 80 8080 8180 } oversize_dir_length
> 500
> 
> include $RULE_PATH/rule1.txt
> ------------------------------
> 
> An my rule1.txt is this:
> -----------------------------
> alert tcp any any <> any any (uricontent:"search";)
> alert tcp any any -> any any (uricontent:"exec"; )
> -----------------------------
> 
> I run snort in windows
> snort -de -l c:\Snort\log -c c:\Snort\etc\snort.conf
>  
> And search the words exec or search in google, and... nothing at all.
> 
> I was looking in the list's files, and I think everything it's ok 
> 
> Thanks
> 
>  ________________________________
> 
> Correo Yahoo!
> Comprueba qué es nuevo, aquí
> http://correo.yahoo.es 
> 
>




More information about the Snort-users mailing list