Snort mailing list archives
Re: Port problems in a rule
From: "Kurzawa, Kevin" <kkurzawa () co pinellas fl us>
Date: Mon, 20 Oct 2014 09:46:55 -0400
Wireshark shows a packet from local to testmyids.com where "Host: testmyids.com" appears in a GET request. It is indeed port 80. This was triggered via browsing to the URI testmyids.com. It appears I'm not as familiar with what exactly the "content" looks at vs what the "pcre" looks at. The snort manual didn't really clear things up for me. I thought they were two ways to search for the same stuff. Content: content in the packet payload. PCRE: Doesn't state exactly what it looks at. The content filter should pick up the "Host: testmyids.com" inside of a HTTP packet with the following rule, right? alert tcp any any -> any 80 (msg: "LOCAL-RULE Test for TestMyIDS.com"; content:"testmyids.com";) But it does not. ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Port problems in a rule Kurzawa, Kevin (Oct 17)
- Re: Port problems in a rule waldo kitty (Oct 17)
- Re: Port problems in a rule Kurzawa, Kevin (Oct 20)
- Re: Port problems in a rule waldo kitty (Oct 20)
- Re: Port problems in a rule Kurzawa, Kevin (Oct 20)
- Re: Port problems in a rule waldo kitty (Oct 17)