[Snort-users] content-based rules not detected
praveen.sssgroups at ...11827...
Wed Feb 22 05:36:14 EST 2017
I have written content-based rule that matches for the payload (contents)
of certain packets(against .pcap file) and that rule doesn't seem to work.
Step 1: I have added this rule in local.rules
*alert tcp $HOME_NET any → $EXTERNAL_NET any (msg:”Worm detected”;
content:”|d9 74 24 44|”; sid:1000006;rev:1; classtype:malicious-code; )*
and, included local.rules in *snot.conf* file and also added
classtype in* classification.config *file
Step 2: Ran *sudo snort -A console -r malicious.pcap -c snort.conf *
*Here, at the end (on console) we can see that rule being added but no
alert is being triggered.*
*Do i need to run any other command for payload-based rules to work ??*
*And lastly I want to ask how to write content-based rules.*
Please help in this regard
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users