[Snort-users] content-based rules not detected

praveen kumar praveen.sssgroups at ...11827...
Wed Feb 22 05:36:14 EST 2017

Hello ,

I have written content-based rule that matches for the payload (contents)
of certain packets(against .pcap file) and that rule doesn't seem to work.
Step 1:  I have added this rule in local.rules
        *alert tcp $HOME_NET any → $EXTERNAL_NET any (msg:”Worm detected”;
content:”|d9 74 24 44|”; sid:1000006;rev:1; classtype:malicious-code;  )*
        and, included local.rules in *snot.conf* file and also added
classtype in* classification.config *file

Step 2: Ran *sudo snort -A console -r malicious.pcap -c snort.conf *

*Here, at the end (on console) we can see that rule being added but no
alert is being triggered.*
*Do i need to run any  other command for payload-based rules to work ??*

*And lastly I want to ask how to write content-based rules.*

Please help in this regard

Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170222/ac40eddf/attachment.html>

More information about the Snort-users mailing list