Working with IDS/IPS Snort Rule Development

Hello! I need someone to help me with the Snort Development Module. I found the malicious user agent with payload inside the log4shell.pcap, however I couldn’t find the keyword that shuould be written inside the Snort rule to trigger an alert. Could you please help me or give an hint?? Thanks.

The best thing to do is try the rules that they provide, and you will notice that no alert was detected. You need to fix it.

The format the answer should follow is as follows : keyword;

No need to look outside the examples provided in the course, everything is in there!

Thank you, but I need a little further explanation.

I just completed this and in the module there is a sample “alert http” rule. Give it a look over and based on research on where the user agent is located in a http packet that should lead you to the answer.

Its better to follow the given rules for better results.

Thank you for this

dont need the square brackets in the answer its just keyword;

I need some help with this, I was able to find the keyword to get snort to find the packets, but that keyword is not being accepted as the answer.

I tried all http_OPTIONS I could find or think about, used ChatGPT, used google.
I can see the packets but I can’t answer the question

Enter the keyword that should be specified right before the content keyword of the rule with sid 10000098 within the local.rules file so that an alert is triggered as your answer. Answer format: [keyword];

These questions are not clear, it’s not “academy” level in my opinion, too much of information must be find somewhere else.

The answer format is not [phrase]; but phrase; without square brackets.

After analyzing .pcap file, you will note that there are some user-agent values, the query must be adjusted with additional trigger to force user-agent inspections. It’s mentioned in the section, but seems to be not related.

Yes, I realized I had the correct answer all along, just didn’t type the ; at the end, days trying, searching, learning, to have it wrong all the time, to finally try with the ; by accident and work. :man_shrugging:

1 Like

Ye… the answer fields should be improved to allow more flexible approach.


Can you give me a Hint? i am lost.

did you figure out?

I’ll try to explain a little more without giving the answer.
If you read the full page, you’ll see a part about the http options, there you can definetely find the answer, so read it carefully.

On top of that, don't forget the answer format


thanks for your help. it worked.

Best regards