snort-sigs February 2011 archive
Main Archive Page > Month Archives  > snort-sigs archives
snort-sigs: Re: [Snort-sigs] Question about a Snort rule

Re: [Snort-sigs] Question about a Snort rule

From: Nigel Houghton <nhoughton_at_nospam>
Date: Fri Feb 25 2011 - 15:39:36 GMT
To: Miso Patel <>

On Fri, 25 Feb 2011 09:21:14 -0600, Miso Patel wrote:
> My engineers are having trouble with a custom rule:
> alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"iPad related HTTP
> request"; content:"iPad"; http_uri; nocase; flags:S;
> classtype:bad-unknown; reference:url,;
> sid:18954545; rev:1;)
> Any help would be appreciated. The rule does not seem to be alerting
> for some reason and I think this could be a bug with Snort.
> Thanks.
> Miso, CISO

Your rule is looking for "iPad" in a URI. So for the event to occur you
would need something like

Additionally, you are using "flags:S;" so the only data you are looking
at is in SYN packets, so there won't be a URI in the packets anyway.

Take a look at the latest Snort manual, there are examples of rules
using the http options in there, get some packet capture data of the
traffic you wish to detect and take it from there.

I'm guessing you will have more questions as you proceed, feel free to
email the list with them. Send your revised rule to the list if you
like for further inspection.

-- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence && ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. _______________________________________________ Snort-sigs mailing list