[Snort-users] How to detect http response body

Maxim hittlle at ...7427...
Wed Nov 2 07:07:29 EDT 2016

Hi all,
We came across a weird scenario. We used the following rule to detect http response body
  alert tcp any any -> $HOME_NET any ( sid: 10000003; file_data; content:"ASED"; nocase; rev:1; classtype: misc-activity;msg:"cve-test";)
And we do see such a string in the response body, but snort did not trigger any alerts. Are we missing anything? Many thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161102/5a2cfb00/attachment.html>

More information about the Snort-users mailing list