Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Content checking in Snort-2.8.3.2

From: bahamin takhtaei <b_takhtaei () yahoo com>
Date: Sun, 25 Jan 2009 06:25:11 -0800 (PST)
Hi,
I install Snort-2.8.3.2 and check some content-rules, but Snort can't match any content
with "content-length > 2" !
for example:

I add these rules to local.rules:
1. alert tcp any any -> any any (sid:10001001; msg:"http-th"; content:"th"; nocase;)
2. alert tcp any any -> any any (sid:10001002; msg:"http-the"; content:"the"; nocase;)
3. alert tcp any any -> any any (sid:10001003; msg:"http-hex"; content: "|20 61 6e 64 20 64 69 72|"; nocase;)
4. alert tcp any any -> any any (sid:10001004; msg:"http-hex2"; content:"|20 61|"; nocase;)
-----------------------------------------------------------------------

then send a http-traffic to Snort-machine that contains many "the" pattern, but only rule1 and rule4 are triggerd. Why 
please?

Notice: my snort.conf is a sample config file that there is on snort.org.



      
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: