[Snort-users] doubt regarding a snort rule

Nicholas Mavis (nmavis) nmavis at ...589...
Fri Jun 20 18:39:48 EDT 2014


This is typically a post for the Snort-Sigs list. You can not implement a
pcre in a content match, the pcre option is used for this... Also, I would
recommend cleaning up your rules source/destination network and port. You
should really never have a rule that is ³alert tcp any any -> any any² for
performance reasons.


On 6/20/14, 5:29 PM, "Johny George Malayil"
<johnygeorgemalayil at ...5176...> wrote:

>Hello All,
>I am a newbie to Snort. I am not sure if this is the correct forum to
>post my doubt.
>I was trying to write a rule for a simple HTML file detection. The head
>tag of the html file will always have a particular string,
>for example <head>hello world<head> and also the html files follow a
>particular pattern for filename followed by year,
>  for example filename2013.html.
>I want to write a snort rule to detect this pattern.
>I wrote the following rule.
>alert tcp any any -> any any ( content :"filename\\d{4}.html"; msg:"page
>access"; sid:100002; rev:1;)
>However I am not getting any alert in my console.
>Can some one please help me out?
>Thanks a lot in advance.:-)
>Johny George
>HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
>Find What Matters Most in Your Big Data with HPCC Systems
>Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
>Leverages Graph Analysis for Fast Processing & Easy Data Exploration
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
>Please visit http://blog.snort.org to stay current on all the latest
>Snort news!

More information about the Snort-users mailing list