[Snort-users] uricontent and http_method
alannala1972 at ...131...
Fri Jul 26 06:11:10 EDT 2013
Running: Version 22.214.171.124 IPv6 GRE (Build 121)
Struggling to answer the questions regarding why I can't get http_method or uricontent sigs to trip. in my testing I am just really trying to flag the detection of part of the URI say "AWS96.jsp?" with uricontent or GET / POST with http_method.
here is my testing examples. I am going to a known website with GET, and URI = "AWS96.jsp?"
alert tcp any any -> any 80 (msg:"testing uricontent"; uricontent:"AWS96.jsp?"; nocase; sid:xxxx;)
alert tcp any any -> any 80 (msg:"testing http_method"; content:"GET"; http_method; nocase; sid:xxxx;)
Are the http preprocessor turned on default or have to have something configured with them? I found them in the snort.conf, but didn't see anything that I needed to do.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users