Re: [Snort-users] writing rule with uricontent keyword
This is a discussion on Re: [Snort-users] writing rule with uricontent keyword within the Snort forums, part of the System Security and Security Related category; On Mon, Feb 28, 2005 at 02:39:08PM -0500, Jiju Menon wrote: > I tried to get an alert ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-02-2005
|
|||
|
|||
Re: [Snort-users] writing rule with uricontent keyword
On Mon, Feb 28, 2005 at 02:39:08PM -0500, Jiju Menon wrote:
> I tried to get an alert with a test rule using uricontent: > > alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"yahoo.com"; > uricontent:"yahoo.com";nocase;) > > The rule seems not to detect a connection made to yahoo.com. Can > anyone help me to get this rule working? While the URL http://www.yahoo.com/foo.html, your packet will look something like this: GET /foo.html HTTP/1.1\r\nHost: www.snort.org\r\n\r\n You need to write your rule to look something like this: alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"yahoo.com"; content:"Host|3a|"; nocase; pcre:"/^Host:\x3a.*yahoo.com/mi";) Brian ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
