Snort mailing list archives

Re: Content rule problem

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 16 Apr 2004 16:16:10 -0400

At 01:55 PM 4/16/2004, Antonio Eugenio Villar wrote:

Seems weird but the rule below is not working on Snort
2.1.2. I appreciate some help.

alert tcp any any -> any any (msg: "XX"; content:
".ida?"; )

I also tried with uricontent and did not work.
I am reading a file with -r options with packet using
GET /default.ida?


Have you tried using the one that's in web-iis.rules? (sid 1243)

Seems silly to re-write a rule to do the same thing as one of the standardrules.




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Content rule problem Antonio Eugenio Villar (Apr 16)
- Re: Content rule problem Matt Kettler (Apr 16)