Re: Port problems in a rule

["Kurzawa, Kevin" <kkurzawa () co pinellas fl us>]

Wireshark shows a packet from local to testmyids.com where "Host: testmyids.com" appears in a GET request. It is indeed 
port 80. This was triggered via browsing to the URI testmyids.com.

It appears I'm not as familiar with what exactly the "content" looks at vs what the "pcre" looks at. The snort manual 
didn't really clear things up for me. I thought they were two ways to search for the same stuff. 

Content: content in the packet payload.
PCRE: Doesn't state exactly what it looks at. 
 
The content filter should pick up the "Host: testmyids.com" inside of a HTTP packet with the following rule, right?
alert tcp any any -> any 80 (msg: "LOCAL-RULE Test for TestMyIDS.com"; content:"testmyids.com";)
But it does not.

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!