I am trying to setup a Snort rule. Here is my rule:
I go to somewhere that has "bad stuff". But when I go there, I do not get any alerts in the log file. Why does this not work?

Be specific and complete providing nfo. How do you "go there"? Browser? FTP client Other?


Yes, that's the question. Now take it one step further and start diagnosing things from the ground up:
- Is this the only rule loaded?
- Does restarting Snort show any anomalies on stdout, stderr, syslog or its own log file?
- Do you use any BPF, alert or other suppression rules?


Shouldn't you be using the EXTERNAL_NET and HOME_NET variables and a remote port number to narrow down things?


How did you determine this is the correct string to use?


Should you jeopardize the troubleshooting process by making up nonexistent classes?


[EDIT]Also, if there is a particular reason why you need this rule please explain in detail. Because if this is about a (perceived) breach of security or some such thing I'd rather know right now.[/EDIT]