I've posted this before in reddit, but I got no answers and I'm trying to understand what's going on in Snort. Link: here
What I've been trying to do is to create a rule for which, when I write (i.e) "apples" in bing using IE9 (because https would encrypt traffic, and chrome and firefox add https automatically), I should get an alert log saying "You have searched apples" or something similar.
Right now my rule looks like this:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"There are apple results"; content:"apple"; nocase; sid:1000004;)
But the only logs I get are:
Reset outside window
I would really appreciate a bit of help on this. I'm stuck and I've searched everywhere for an answer. Does anyone have Snort installed? If so, can you get your message correctly in the logs?
Also, I don't have any other rule, just that one, so I make sure nothing interferes with it.