[Snort-users] Content Match

Mark Greenman mark.greenman.014 at ...11827...
Sat Jan 31 09:50:36 EST 2015

Hi. Do you know why snort creates two alerts for one content match?
I am using the following rule for content match:

alert tcp any any -> any any (msg:"Hit!"; content:"Tree"; sid:1000001;)

The file which is requeste using HTTP and the logs created by snort in a
pcap file are attached to this email.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150131/d9aeb5a5/attachment.html>
-------------- next part --------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tmp.pcap.1422715221
Type: application/octet-stream
Size: 680 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150131/d9aeb5a5/attachment.obj>

More information about the Snort-users mailing list