Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Content Match

From: Mark Greenman <mark.greenman.014 () gmail com>
Date: Sat, 31 Jan 2015 18:20:36 +0330
Hi. Do you know why snort creates two alerts for one content match?
I am using the following rule for content match:

alert tcp any any -> any any (msg:"Hit!"; content:"Tree"; sid:1000001;)

The file which is requeste using HTTP and the logs created by snort in a
pcap file are attached to this email.

Thanks

Attachment: test5.txt
Description:

Attachment: tmp.pcap.1422715221
Description: 

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: