Simple rule to match /wp-admin/

[Avery Rozar <Avery.Rozar () i-techsupport com>]

I’ve noticed many attempts on  my network to access /wp-admin/ on all servers accessible via the web. I do not have any 
wordpress sites, so this is obviously malicious in nature. I would like to setup a rule to drop any and all attempts 
for wp-admin. The folioing is rule I added into the local.rules, and the sid-message.map has been updated via pulled 
pork.

This rule is not matching attempts. Any ideas or suggestions?

drop tcp any any -> $HOME_NET $HTTP_PORTS (msg:"drop - WP-Admin attempt"; flow:to_server; content:"wp-admin"; nocase; 
metadata:policy security-ips drop, service http; classtype:web-application-attack; sid:10000001; rev:1;)


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!