Snort mailing list archives
Re: doubt regarding a snort rule
From: "Nicholas Mavis (nmavis)" <nmavis () cisco com>
Date: Fri, 20 Jun 2014 22:39:48 +0000
Johny, This is typically a post for the Snort-Sigs list. You can not implement a pcre in a content match, the pcre option is used for this... Also, I would recommend cleaning up your rules source/destination network and port. You should really never have a rule that is ³alert tcp any any -> any any² for performance reasons. -Nick On 6/20/14, 5:29 PM, "Johny George Malayil" <johnygeorgemalayil () yahoo co in> wrote:
Hello All, I am a newbie to Snort. I am not sure if this is the correct forum to post my doubt. I was trying to write a rule for a simple HTML file detection. The head tag of the html file will always have a particular string, for example <head>hello world<head> and also the html files follow a particular pattern for filename followed by year, for example filename2013.html. I want to write a snort rule to detect this pattern. I wrote the following rule. alert tcp any any -> any any ( content :"filename\\d{4}.html"; msg:"page access"; sid:100002; rev:1;) However I am not getting any alert in my console. Can some one please help me out? Thanks a lot in advance.:-) -- Thanks, Johny George -------------------------------------------------------------------------- ---- HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- doubt regarding a snort rule Johny George Malayil (Jun 20)
- Re: doubt regarding a snort rule Nicholas Mavis (nmavis) (Jun 20)