[Snort-users] URI content not being identified

Y M snort at ...15979...
Thu May 8 12:06:24 EDT 2014

> Date: Thu, 8 May 2014 17:44:34 +0200
> From: masterjel5000 at ...125...
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] URI content not being identified
> Hello all,
> I have the following Snort rule:
> alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "HTTP content test";
> content: "test.php"; classtype:web-application-attack; sid:5000001; rev:1;)
> Now when I visit mysite.com/test.php an alert is correctly generated.
> However, as soon as I change "content" to "uricontent", or add
> "http_uri;" before the "classtype", no alert is generated. I analyzed
> the traffic using tshark and I can see requests to "test.php" coming
> through. Do you know any step I could take that may help to identify
> what is causing this?
Changing the "content:" to "uricontent" or "http_uri" should not work.  The "content" keyword allows you to search for a string pattern, in your case "/test.php". Content modifiers on the other hand apply to your content. So to have your rule corrected try something like:
content:"/test.php"; http_uri;
I would also add flow direction in the rule: flow:to_server, established for example, depending on the direction of the traffic (3-way handshake).
> Thanks!
> ------------------------------------------------------------------------------
> Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
> • 3 signs your SCM is hindering your productivity
> • Requirements for releasing software faster
> • Expert tips and advice for migrating your SCM now
> http://p.sf.net/sfu/perforce
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140508/ea8531d0/attachment.html>

More information about the Snort-users mailing list