[Snort-users] Rule not working
This is a discussion on [Snort-users] Rule not working within the Snort forums, part of the System Security and Security Related category; I am trying to write the below rule that will detect visits to "rediff.com" site. But Snort ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-11-2004
|
|||
|
|||
[Snort-users] Rule not working
I am trying to write the below rule that will detect visits to "rediff.com"
site. But Snort does not seem to detect it. Anything wrong with what i am doing?? btw. the snort.conf file does have the below line preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace alert tcp any any -> any any (msg:"Somebody visiting Rediff.com site"; uriconten t:"rediff.com"; reference:url,http://www.cisco.com/warp/public/707...sn-20040326-ex ploits.shtml; classtype:attempted-dos; sid:999999; rev:2;) Ignore the "reference", the classtype, sid and rev in the above rule. Thanks and Regards Simon ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg...rom=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
