Re: [Snort-users] uricontent error
This is a discussion on Re: [Snort-users] uricontent error within the Snort forums, part of the System Security and Security Related category; For Win32...=20 Find what network interface you want to listen on by using: snort -W In my case the ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-15-2005
|
|||
|
|||
Re: [Snort-users] uricontent error
For Win32...=20
Find what network interface you want to listen on by using: snort -W In my case the first two interfaces are 1394 adapters while the third is my actual ethernet interface that I use for my network. Refer to that interface by its number in your command line with the -i opti= on. snort -i 3 Hope that helps. I ran it to this the first time running snort for win32. -Russ On 9/15/05, Dario Alonso <listasnort@yahoo.es> wrote: > Hi. > I'm trying a simple snort's rule with uricontent, and it doesn't capture > nothing.=20 >=20 > My config file is this: > ------------------------------ > var HOME_NET 172.26.0.0/24 > var EXTERNAL_NET any > var HTTP_SERVERS 172.26.0.4 > var RULE_PATH c:\snort\rules > var HTTP_PORTS 80 > #preprocessor frag2 > preprocessor frag3_global: max_frags 65536 > preprocessor frag3_engine: policy first > detect_anomalies > preprocessor stream4: disable_evasion_alerts > preprocessor stream4_reassemble >=20 > preprocessor http_inspect: global iis_unicode_map > unicode.map 1252=20 > preprocessor http_inspect_server: server default > profile all ports { 80 8080 8180 } oversize_dir_length > 500 >=20 > include $RULE_PATH/rule1.txt > ------------------------------ >=20 > An my rule1.txt is this: > ----------------------------- > alert tcp any any <> any any (uricontent:"search";) > alert tcp any any -> any any (uricontent:"exec"; ) > ----------------------------- >=20 > I run snort in windows > snort -de -l c:\Snort\log -c c:\Snort\etc\snort.conf > =20 > And search the words exec or search in google, and... nothing at all. >=20 > I was looking in the list's files, and I think everything it's ok=20 >=20 > Thanks >=20 > ________________________________ >=20 > Correo Yahoo! > Comprueba qu=E9 es nuevo, aqu=ED > http://correo.yahoo.es=20 >=20 > ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
