[Snort-users] URI content not being identified

Jelte masterjel5000 at ...125...
Thu May 8 11:44:34 EDT 2014


Hello all,

I have the following Snort rule:

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "HTTP content test";
content: "test.php"; classtype:web-application-attack; sid:5000001; rev:1;)

Now when I visit mysite.com/test.php an alert is correctly generated.
However, as soon as I change "content" to "uricontent", or add
"http_uri;" before the "classtype", no alert is generated. I analyzed
the traffic using tshark and I can see requests to "test.php" coming
through. Do you know any step I could take that may help to identify
what is causing this?

Thanks!




More information about the Snort-users mailing list