Re: test string not alerting

["Al Lewis (allewi)" <allewi () cisco com>]

Hello,

Are you generating tcp based traffic that contains the content “poop”?

Also your rule SID should be above one million for local rules.



Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Sean [mailto:sean.barmettler () gmail com]
Sent: Thursday, August 27, 2015 3:05 PM
To: Snort-users () lists sourceforge net
Subject: [Snort-users] test string not alerting

I can do a simple ICMP alert that works:
alert icmp any any -> 20.1.1.10 any ( msg: "ICMP packet to high value target!"; sid: 1; rev:1; priority: 1;)

Yet I cant create a simple text string detector to detect HTML strings:
alert tcp any any <> any any (msg:"somebody farted"; content:"poop"; sid: 2; rev:2; priority: 1;)


I wouldnt waste a mailing lists time with this, but I've setup an entire ESXI lab with routers, switches, security 
monitors, and THIS.. THIS is what is stumping me.

hints/clues/suggestions welcome.

thanks.

Sean


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!