Snort mailing list archives

Re: uricontent error

From: Russ Starr <russ.starr () gmail com>
Date: Thu, 15 Sep 2005 00:32:58 -0500

For Win32... 

Find what network interface you want to listen on by using:

snort -W

In my case the first two interfaces are 1394 adapters while the third
is my actual ethernet interface that I use for my network.

Refer to that interface by its number in your command line with the -i option.

snort -i 3

Hope that helps.  I ran it to this the first time running snort for win32.

-Russ


On 9/15/05, Dario Alonso <listasnort () yahoo es> wrote:

Hi.
I'm trying a simple snort's rule with uricontent, and it doesn't capture
nothing. 

My config file is this:
------------------------------
var HOME_NET 172.26.0.0/24
var EXTERNAL_NET any
var HTTP_SERVERS 172.26.0.4
var RULE_PATH c:\snort\rules
var HTTP_PORTS 80
#preprocessor frag2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first
detect_anomalies
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble

preprocessor http_inspect: global iis_unicode_map
unicode.map 1252 
preprocessor http_inspect_server: server default
profile all ports { 80 8080 8180 } oversize_dir_length
500

include $RULE_PATH/rule1.txt
------------------------------

An my rule1.txt is this:
-----------------------------
alert tcp any any <> any any (uricontent:"search";)
alert tcp any any -> any any (uricontent:"exec"; )
-----------------------------

I run snort in windows
snort -de -l c:\Snort\log -c c:\Snort\etc\snort.conf
 
And search the words exec or search in google, and... nothing at all.

I was looking in the list's files, and I think everything it's ok 

Thanks

 ________________________________

Correo Yahoo!
Comprueba qué es nuevo, aquí
http://correo.yahoo.es



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

uricontent error Dario Alonso (Sep 14)
- Re: uricontent error Joel Esler (Sep 14)
  - Re: uricontent error Jason Haar (Sep 14)
- Re: uricontent error Russ Starr (Sep 14)