[Snort-users] Question about rules

Ricardo Barbosa ricardobarbosams at ...6873...
Wed Jan 27 00:52:08 EST 2010


Hello I am entering the world of IPs and began to test and learn
snort, but I have a question about creating rules. I
I was reading the snort manual in PDF file and has a chapter of
writing rules, following the documentation I created a rule as
down

alert tcp any any -> 10.0.0.0/8 80 (content:"test_rule"; msg: "TEST 
HTTP";) 

assembled a network with virtualbox with the following topology

10.0.0.0/8(.2) <---> (.1) snort (.1) <---> 20.0.0.0/8(.2) 

I put a web server (apache) on 10.0.0.2 and created the following html
 
<html> 
<body> 
<h1> teste_rule</h1> 
</body> 
</html> 

and from the machine 20.0.0.2 try to access this page through snort,
looking at the above rule should not generate an alert in the
file /var/log/snort/alert??

Can someone help me where I'm missing?

Regards,


__________________________________________________
Fao?=a ligao?=o?=es para outros computadores com o novo Yahoo! Messenger 
http://br.beta.messenger.yahoo.com/ 





More information about the Snort-users mailing list