Snort mailing list archives
content-based rules not detected
From: praveen kumar <praveen.sssgroups () gmail com>
Date: Wed, 22 Feb 2017 16:06:14 +0530
Hello , I have written content-based rule that matches for the payload (contents) of certain packets(against .pcap file) and that rule doesn't seem to work. ex: Step 1: I have added this rule in local.rules *alert tcp $HOME_NET any → $EXTERNAL_NET any (msg:”Worm detected”; content:”|d9 74 24 44|”; sid:1000006;rev:1; classtype:malicious-code; )* and, included local.rules in *snot.conf* file and also added classtype in* classification.config *file Step 2: Ran *sudo snort -A console -r malicious.pcap -c snort.conf * *Here, at the end (on console) we can see that rule being added but no alert is being triggered.* *Do i need to run any other command for payload-based rules to work ??* *And lastly I want to ask how to write content-based rules.* Please help in this regard Thank you
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- content-based rules not detected praveen kumar (Feb 22)
- Re: content-based rules not detected Bhargava Jandhyala (bjandhya) (Feb 22)