[Snort-users] can't get http_stat_code to firing

Eoin Miller eoin.miller at ...14586...
Fri Mar 23 14:12:13 EDT 2012


You traffic flow is backwards. 404's originate from the server, not from
the client.

-- Eoin

On 3/23/2012 3:02 PM, Anonymous forum wrote:
> I have enabled the http_inspect and preprocessor enabled. I have
> extended responses enabled. 
> my rule is alert tcp any any -> $HTTP_SERVER $HTTP_PORTS (content:"404";
> http_stat_code;sid:11111111111;msg:"url not found";)
> 
> why would it not be firing..
> 
> 
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here 
> http://p.sf.net/sfu/sfd2d-msazure
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list