Snort mailing list archives
Fwd: snort content matching rules
From: Jim Reprogle <jim.reprogle () gmail com>
Date: Tue, 6 May 2014 16:53:20 -0500
I'm new to using snort, so I've been looking around on the various mailing lists, groups, archives, forums, etc. for an answer to what appears to be an obvious question but for the life of me I can't find one. Hopefully this isn't something that's been beaten to death in other threads, but here goes anyway. I've installed snort on a CentOS 6.4 machine and have gotten basic alerting working. However, whenever I attempt a simple rule that looks at the payload (content) of certain packets, that rule doesn't seem to work at all. For example, this rule works all day long: alert udp any any <> any 53 (msg:"DNS Query"; sid:1000001; rev:1;) However, if I try to make the rule match only on PTR lookups, it stops working entirely. alert udp any any <> any 53 (msg:"DNS Query"; content:"PTR "; sid:1000001; rev:1;) I've tried rules using the rawbytes directive, and they don't seem to work either. Please help me out here, as I'm certain that I've done something painfully obvious to make these simple content rules not work.
------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fwd: snort content matching rules Jim Reprogle (May 06)
- Re: Fwd: snort content matching rules Y M (May 08)
- Re: Fwd: snort content matching rules Jim Reprogle (May 08)
- Re: Fwd: snort content matching rules Jim Reprogle (May 08)
- Re: Fwd: snort content matching rules Jim Reprogle (May 08)
- Re: Fwd: snort content matching rules Y M (May 08)