[Snort-users] content-based rules not detected

Bhargava Jandhyala (bjandhya) bjandhya at ...589...
Wed Feb 22 06:24:48 EST 2017

Please use this rule

alert tcp $HOME_NET any → $EXTERNAL_NET any (msg:”Worm detected”; content:"|d9 74 24 44|"; rev:1; classtype:malicious-code;  )

no need any commend for payload-based rules.

For your help, some example

alert tcp any any -> any any (\
    msg:"Rule 2 -- alert since decode buffer searched by default"; \
    content:"|5a 7d 87 ff 00 02 03 28 05|"; \
    sid:2; rev:1)


From: praveen kumar <praveen.sssgroups at ...11827...>
Date: Wednesday, 22 February 2017 at 4:06 PM
To: "Snort-users at lists.sourceforge.net" <Snort-users at lists.sourceforge.net>
Subject: [Snort-users] content-based rules not detected

Hello ,

I have written content-based rule that matches for the payload (contents) of certain packets(against .pcap file) and that rule doesn't seem to work.
Step 1:  I have added this rule in local.rules
        alert tcp $HOME_NET any → $EXTERNAL_NET any (msg:”Worm detected”; content:”|d9 74 24 44|”; sid:1000006;rev:1; classtype:malicious-code;  )
        and, included local.rules in snot.conf file and also added classtype in classification.config file

Step 2: Ran sudo snort -A console -r malicious.pcap -c snort.conf

Here, at the end (on console) we can see that rule being added but no alert is being triggered.
Do i need to run any  other command for payload-based rules to work ??

And lastly I want to ask how to write content-based rules.

Please help in this regard

Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170222/06f33ab1/attachment.html>

More information about the Snort-users mailing list