[Snort-users] test string not alerting

Sean sean.barmettler at ...11827...
Thu Aug 27 16:32:34 EDT 2015


response (from a website's content), and no.  I'm looking for content on a
website that shouldnt be there.  I was going to try egress traffic after
that.  Havent tried using the flow content modifier, no, but I'll attempt
that tonight.

On Thu, Aug 27, 2015 at 2:18 PM, Y M <snort at ...15979...> wrote:

> Is the content you are matching against in the request or response? Have
> you tried the same rule using the flow content modifier?
>
> Sent from Mobile
>
>
>
>
> On Thu, Aug 27, 2015 at 12:05 PM -0700, "Sean" <sean.barmettler at ...11827...>
> wrote:
>
> I can do a simple ICMP alert that works:
> alert icmp any any -> 20.1.1.10 any ( msg: "ICMP packet to high value
> target!"; sid: 1; rev:1; priority: 1;)
>
> Yet I cant create a simple text string detector to detect HTML strings:
> alert tcp any any <> any any (msg:"somebody farted"; content:"poop"; sid:
> 2; rev:2; priority: 1;)
>
>
> I wouldnt waste a mailing lists time with this, but I've setup an entire
> ESXI lab with routers, switches, security monitors, and THIS.. THIS is what
> is stumping me.
>
> hints/clues/suggestions welcome.
>
> thanks.
>
> Sean
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150827/a4ee6648/attachment.html>


More information about the Snort-users mailing list