Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: doubt regarding a snort rule

From: "Nicholas Mavis (nmavis)" <nmavis () cisco com>
Date: Fri, 20 Jun 2014 22:39:48 +0000
Johny,

This is typically a post for the Snort-Sigs list. You can not implement a
pcre in a content match, the pcre option is used for this... Also, I would
recommend cleaning up your rules source/destination network and port. You
should really never have a rule that is ³alert tcp any any -> any any² for
performance reasons.

-Nick

On 6/20/14, 5:29 PM, "Johny George Malayil"
<johnygeorgemalayil () yahoo co in> wrote:


Hello All,

I am a newbie to Snort. I am not sure if this is the correct forum to
post my doubt.

I was trying to write a rule for a simple HTML file detection. The head
tag of the html file will always have a particular string,
for example <head>hello world<head> and also the html files follow a
particular pattern for filename followed by year,
 for example filename2013.html.

I want to write a snort rule to detect this pattern.

I wrote the following rule.

alert tcp any any -> any any ( content :"filename\\d{4}.html"; msg:"page
access"; sid:100002; rev:1;)

However I am not getting any alert in my console.

Can some one please help me out?

Thanks a lot in advance.:-)

-- 
Thanks,
Johny George


--------------------------------------------------------------------------
----
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: