[Snort-users] Problem with Content rule option

Joel Esler (jesler) jesler at ...589...
Thu Dec 18 00:44:35 EST 2014

Perhaps a sample packet capture, rule, and snort.conf?

Joel Esler
Sent from my iPhone

On Dec 17, 2014, at 11:04 PM, Mark Greenman <mark.greenman.014 at ...11827...<mailto:mark.greenman.014 at ...11827...>> wrote:

Hi. I am new to snort. I want to use content rule option to execute some actions based on the content of the http response message (the payload). But, it can not work properly. For example, if I want to replace some word with another, the detection engine can detect some words in the http response message but can not some of the same words in the same message. Sometimes it can't even detect a single word. The problem is that it works properly for the content of the http header. Does anyone know the reason?

Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141218/70a0a5d6/attachment.html>

More information about the Snort-users mailing list