[Snort-users] doubt regarding a snort rule

Johny George Malayil johnygeorgemalayil at ...5176...
Fri Jun 20 17:29:48 EDT 2014


Hello All,

I am a newbie to Snort. I am not sure if this is the correct forum to 
post my doubt.

I was trying to write a rule for a simple HTML file detection. The head 
tag of the html file will always have a particular string,
for example <head>hello world<head> and also the html files follow a 
particular pattern for filename followed by year,
  for example filename2013.html.

I want to write a snort rule to detect this pattern.

I wrote the following rule.

alert tcp any any -> any any ( content :"filename\\d{4}.html"; msg:"page 
access"; sid:100002; rev:1;)

However I am not getting any alert in my console.

Can some one please help me out?

Thanks a lot in advance.:-)

-- 
Thanks,
Johny George





More information about the Snort-users mailing list