[Snort-inline-users] =?iso-8859-1?Q?Content_doesn=B4t_work?=

[Jochen V. <jv...@it...>]

Hi,

If i test the inline function with http://x.x.x.x/../../etc/passwd i get no
log.

If i change content with uricontent it works.

Whats the problem?

Thx for help 

---Version---
Version 2.1.0 (Build 9)

---Config---
preprocessor flow: stats_interval 0 hash 2
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor bo
preprocessor flow-portscan: scoreboard-rows-talker 30000
scoreboard-rows-scanner 30000 scanner-fixed-threshold 15
scanner-sliding-threshold 40 scanner-fixed-window 15 scanner-sliding-window
20 scanner-sliding-scale-factor 0.50 talker-fixed-threshold 30
talker-sliding-threshold 30 talker-fixed-window 30 talker-sliding-window 20
talker-sliding-scale-factor 0.50 server-rows 65535 server-watchnet
[10.2.0.0/30] src-ignore-net [192.168.1.1/32,192.168.0.0/24] dst-ignore-net
[10.0.0.0/30] tcp-penalties on server-learning-time 14400
server-ignore-limit 200 server-scanner-limit 4 alert-mode once output-mode
msg
preprocessor frag2: timeout 60,memcap 4194304
preprocessor http_inspect_server: server default profile all ports { 80 8080
} flow_depth 250 inspect_uri_only oversize_dir_length 300
preprocessor rpc_decode:  111 32771
preprocessor stream4: disable_evasion_alerts,memcap 8388608,timeout
30,detect_scans
preprocessor stream4_reassemble: ports [21 23 25 53 80 143 110 111 513],
both
preprocessor telnet_decode

---Rule---
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
/etc/passwd"; flow:to_server,established; content:"/etc/passwd"; nocase;
classtype:attempted-recon; sid:1122; rev:4;)