[Snort-users] test string not alerting

Y M snort at ...15979...
Thu Aug 27 16:18:01 EDT 2015


Is the content you are matching against in the request or response? Have you tried the same rule using the flow content modifier?

Sent from Mobile




On Thu, Aug 27, 2015 at 12:05 PM -0700, "Sean" <sean.barmettler at ...11827...> wrote:
I can do a simple ICMP alert that works:
alert icmp any any -> 20.1.1.10 any ( msg: "ICMP packet to high value
target!"; sid: 1; rev:1; priority: 1;)

Yet I cant create a simple text string detector to detect HTML strings:
alert tcp any any <> any any (msg:"somebody farted"; content:"poop"; sid:
2; rev:2; priority: 1;)


I wouldnt waste a mailing lists time with this, but I've setup an entire
ESXI lab with routers, switches, security monitors, and THIS.. THIS is what
is stumping me.

hints/clues/suggestions welcome.

thanks.

Sean
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150827/62e39af1/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
-------------- next part --------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list