AnsweredAssumed Answered

snort rule config in 10.4

Question asked by RSA Admin Employee on Oct 21, 2015

We just upgraded from 9.8.5 to 10.4.   I am noticing that the SNORT rules that we had in place are not firing now.  What seems to be  the issue is the value in the CONTENT option.  For 9.8.5 we pretty much used what the request was, either a GET or POST.   Now it seems the only way to get the rule to fire is to have the CONTENT option to reflect a value in the URI that we are already checking with the  PCRE.  Has anybody else run inot this issue?

Outcomes