[Snort-users] Fwd: Problem with Content rule option

Mark Greenman mark.greenman.014 at ...11827...
Sat Dec 20 00:49:26 EST 2014


Here are the rule set, snort.conf file and a pcap file for a simple
experiment. Please tell me if there are any problems.
Thanks

---------- Forwarded message ----------
From: Joel Esler (jesler) <jesler at ...589...>
Date: Thu, Dec 18, 2014 at 3:17 PM
Subject: Re: [Snort-users] Problem with Content rule option
To: Mark Greenman <mark.greenman.014 at ...11827...>


 https://snort.org/faq/what-is-the-mailing-list-etiquette

 #4

--
*Joel Esler*
Sent from my iPhone

On Dec 18, 2014, at 2:25 AM, Mark Greenman <mark.greenman.014 at ...11827...>
wrote:

  Thanks for answering Joel. I have attached the local.rules, snort.conf
and a pcap file with this email. The pcap file has been captured with
Wireshark listening on the internet interface in the client host.

On Thu, Dec 18, 2014 at 9:14 AM, Joel Esler (jesler) <jesler at ...589...>
wrote:
>
>  Perhaps a sample packet capture, rule, and snort.conf?
>
> --
> *Joel Esler*
> Sent from my iPhone
>
> On Dec 17, 2014, at 11:04 PM, Mark Greenman <mark.greenman.014 at ...11827...>
> wrote:
>
>   Hi. I am new to snort. I want to use content rule option to execute
> some actions based on the content of the http response message (the
> payload). But, it can not work properly. For example, if I want to replace
> some word with another, the detection engine can detect some words in the
> http response message but can not some of the same words in the same
> message. Sometimes it can't even detect a single word. The problem is that
> it works properly for the content of the http header. Does anyone know the
> reason?
>
>  Thanks
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>
>  _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>     <local.rules>

 <pcap-c2-nfq-replace.pcap>

 <snort.conf>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141220/97949bdd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: local.rules
Type: application/octet-stream
Size: 1122 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141220/97949bdd/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pcap-c2-nfq-replace.pcap
Type: application/octet-stream
Size: 80716 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141220/97949bdd/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 27055 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141220/97949bdd/attachment-0002.obj>


More information about the Snort-users mailing list