Is my Snort rule correct ?

Discussion in 'other security issues & news' started by lunarlander, May 7, 2013.

Thread Status:
Not open for further replies.
  1. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Hi,

    I have made a Snort rule to detect the words "top secret"

    alert tcp any any -> any 80 (msg: "top secret"; content: "top secret"; nocase'; SID: 99999; )

    Is the rule correct? I don't get any alert when I type "top secret" into google.
     
  2. biscuitdh

    biscuitdh Registered Member

    Joined:
    May 9, 2013
    Posts:
    1
    Location:
    USA
    id try 443 also.
     
  3. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,101
    A good website to sort out SNORT rules w/fwsnort is at CipherDyne - fwsnort.

    You may not be using fwsnort, but you could certainly ask the author of the Linux Firewalls book and the tool fwsnort at that website about your snort rule.

    -- Tom
     
Loading...
Thread Status:
Not open for further replies.