[Snort-users] uricontent and http_method

Alan Nala alannala1972 at ...131...
Fri Jul 26 06:11:10 EDT 2013


hi

Running: Version 2.9.2.2 IPv6 GRE (Build 121)


Struggling to answer the questions regarding why I can't get http_method or uricontent sigs to trip.  in my testing I am just really trying to flag the detection of part of the URI say "AWS96.jsp?" with uricontent or GET / POST with http_method.

here is my testing examples.  I am going to a known website with GET, and URI = "AWS96.jsp?"

alert tcp any any -> any 80 (msg:"testing uricontent";  uricontent:"AWS96.jsp?"; nocase; sid:xxxx;)
alert tcp any any -> any 80 (msg:"testing http_method"; content:"GET"; http_method; nocase; sid:xxxx;)


Are the http preprocessor turned on default or have to have something configured with them?  I found them in the snort.conf, but didn't see anything that I needed to do.

thx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130726/2d272a1b/attachment.html>


More information about the Snort-users mailing list