content-based rules not detected

[praveen kumar <praveen.sssgroups () gmail com>]

Hello ,

I have written content-based rule that matches for the payload (contents)
of certain packets(against .pcap file) and that rule doesn't seem to work.
ex:
Step 1:  I have added this rule in local.rules
        *alert tcp $HOME_NET any → $EXTERNAL_NET any (msg:”Worm detected”;
content:”|d9 74 24 44|”; sid:1000006;rev:1; classtype:malicious-code;  )*
        and, included local.rules in *snot.conf* file and also added
classtype in* classification.config *file

Step 2: Ran *sudo snort -A console -r malicious.pcap -c snort.conf *

*Here, at the end (on console) we can see that rule being added but no
alert is being triggered.*
*Do i need to run any  other command for payload-based rules to work ??*

*And lastly I want to ask how to write content-based rules.*

Please help in this regard

Thank you

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!