Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: can't get http_stat_code to firing

From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Fri, 23 Mar 2012 18:12:13 +0000
You traffic flow is backwards. 404's originate from the server, not from
the client.

-- Eoin

On 3/23/2012 3:02 PM, Anonymous forum wrote:

I have enabled the http_inspect and preprocessor enabled. I have
extended responses enabled. 
my rule is alert tcp any any -> $HTTP_SERVER $HTTP_PORTS (content:"404";
http_stat_code;sid:11111111111;msg:"url not found";)

why would it not be firing..


------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: