Quote:
Originally Posted by sniper8752
I go to somewhere that has "bad stuff".
|
Be specific and complete providing nfo.
How do you "go there"? Browser? FTP client Other?
Quote:
Originally Posted by sniper8752
Why does this not work?
|
Yes, that's the
question. Now take it one step further and start diagnosing things from the ground up:
- Is this the only rule loaded?
- Does restarting Snort show any anomalies on stdout, stderr, syslog or its own log file?
- Do you use any BPF, alert or other suppression rules?
Quote:
Originally Posted by sniper8752
Code:
alert tcp any any -> any any
|
Shouldn't you be using the EXTERNAL_NET and HOME_NET variables and a remote port number to narrow down things?
Quote:
Originally Posted by sniper8752
Code:
content:"bad stuff";
|
How did you determine this is the correct string to use?
Quote:
Originally Posted by sniper8752
Code:
classtype:nonsense;
|
Should you jeopardize the troubleshooting process by making up nonexistent classes?
[EDIT]Also, if there is a particular reason why you need this rule please explain in detail. Because if this is about a (perceived) breach of security or some such thing I'd rather know right now.[/EDIT]