Creating snort content rules

0 投票
最新提问 用户: (2.6k 分)

I've posted this before in reddit, but I got no answers and I'm trying to understand what's going on in Snort. Link: here

What I've been trying to do is to create a rule for which, when I write (i.e) "apples" in bing using IE9 (because https would encrypt traffic, and chrome and firefox add https automatically), I should get an alert log saying "You have searched apples" or something similar.

Right now my rule looks like this:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"There are apple results"; content:"apple"; nocase; sid:1000004;)

But the only logs I get are:

Reset outside window

I would really appreciate a bit of help on this. I'm stuck and I've searched everywhere for an answer. Does anyone have Snort installed? If so, can you get your message correctly in the logs?

Also, I don't have any other rule, just that one, so I make sure nothing interferes with it.

登录 或者 注册 后回答这个问题。

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。
...