Snort mailing list archives
uricontent error
From: Dario Alonso <listasnort () yahoo es>
Date: Thu, 15 Sep 2005 07:07:01 +0200 (CEST)
Hi. I'm trying a simple snort's rule with uricontent, and it doesn't capture nothing. My config file is this: ------------------------------ var HOME_NET 172.26.0.0/24 var EXTERNAL_NET any var HTTP_SERVERS 172.26.0.4 var RULE_PATH c:\snort\rules var HTTP_PORTS 80 #preprocessor frag2 preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 include $RULE_PATH/rule1.txt ------------------------------ An my rule1.txt is this: ----------------------------- alert tcp any any <> any any (uricontent:"search";) alert tcp any any -> any any (uricontent:"exec"; ) ----------------------------- I run snort in windows snort -de -l c:\Snort\log -c c:\Snort\etc\snort.conf And search the words exec or search in google, and... nothing at all. I was looking in the list's files, and I think everything it's ok Thanks --------------------------------- Correo Yahoo! Comprueba qué es nuevo, aquí http://correo.yahoo.es
Current thread:
- uricontent error Dario Alonso (Sep 14)
- Re: uricontent error Joel Esler (Sep 14)
- Re: uricontent error Jason Haar (Sep 14)
- Re: uricontent error Russ Starr (Sep 14)
- Re: uricontent error Joel Esler (Sep 14)