Re: Creating a simple rule.

[Jason Brvenik <jasonb () sourcefire com>]

On it's face that should work but there could be a number of problems
with the rule or the packet. Can you provide the actual packet and rule
you are testing with?


Paul Halliday wrote:
> I am just trying to make a couple simple rules but they fail to fire.
>
> Can someone just clarify this:
>
> I am looking at a TCP packet with ethereal that looks like this:
>
> 06 bb 09 75 74 0c e2 c4 00 00 00 00 50 04 00 00 d4 4a 00
>
> I want the rule to fire on the pattern 00 50 04
>
> I have a rule that looks like:
>
> content:"|00 50 04|"
>
> yet it doesnt fire. Is there something that I have missed?
>
> Thanks.
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
> Register for a JBoss Training Course.  Free Certification Exam
> for All Training Attendees Through End of 2005. For more info visit:
> http://ads.osdn.com/?ad_idv28&alloc_id845&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users