[Snort-users] test string not alerting

snort at ...15979... snort at ...15979...
Thu Aug 27 16:38:13 EDT 2015


While you are at it, may I also suggest visiting the http content modifiers? They allow You to specify where exactly in the response to look for your content; headers, body, etc.
This can help ease debugging.
Also, is the Snort VM NIC setup to be promiscuous and on the same vSwitch you are monitoring?
Sent from Mobile

Sent from Mobile




On Thu, Aug 27, 2015 at 1:32 PM -0700, "Sean" <sean.barmettler at ...11827...> wrote:
response (from a website's content), and no.  I'm looking for content on a
website that shouldnt be there.  I was going to try egress traffic after
that.  Havent tried using the flow content modifier, no, but I'll attempt
that tonight.

On Thu, Aug 27, 2015 at 2:18 PM, Y M <snort at ...15979...> wrote:

> Is the content you are matching against in the request or response? Have
> you tried the same rule using the flow content modifier?
>
> Sent from Mobile
>
>
>
>
> On Thu, Aug 27, 2015 at 12:05 PM -0700, "Sean" <sean.barmettler at ...14459.....>
> wrote:
>
> I can do a simple ICMP alert that works:
> alert icmp any any -> 20.1.1.10 any ( msg: "ICMP packet to high value
> target!"; sid: 1; rev:1; priority: 1;)
>
> Yet I cant create a simple text string detector to detect HTML strings:
> alert tcp any any <> any any (msg:"somebody farted"; content:"poop"; sid:
> 2; rev:2; priority: 1;)
>
>
> I wouldnt waste a mailing lists time with this, but I've setup an entire
> ESXI lab with routers, switches, security monitors, and THIS.. THIS is what
> is stumping me.
>
> hints/clues/suggestions welcome.
>
> thanks.
>
> Sean
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150827/bb2a7806/attachment.html>


More information about the Snort-users mailing list