Snort mailing list archives
Re: can't get http_stat_code to firing
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Fri, 23 Mar 2012 18:12:13 +0000
You traffic flow is backwards. 404's originate from the server, not from the client. -- Eoin On 3/23/2012 3:02 PM, Anonymous forum wrote:
I have enabled the http_inspect and preprocessor enabled. I have extended responses enabled. my rule is alert tcp any any -> $HTTP_SERVER $HTTP_PORTS (content:"404"; http_stat_code;sid:11111111111;msg:"url not found";) why would it not be firing.. ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- can't get http_stat_code to firing Anonymous forum (Mar 23)
- Re: can't get http_stat_code to firing Eoin Miller (Mar 23)