I have a not detection snort rule in pcap. Some pcap files, this rule is detected, some other not. I tried lot of possible options, but no detection. Maybe if someone may help me, it should be good ;-)
Here is the rule that is detected on 2 pcap files.
alert ip any any <> any any (msg:"TEST 1"; content:"forum.php" ; nocase ; classtype:trojan-activity; sid:6000003; rev:0;)
This rule is not detected with 2 other pcap files. Wireshark shows me that forum.php is inside the not detected pcap
Where is the problem ?
Thanks for help