# Input http://79.124.59.134/j.ad
alert http any 80 -> any any (msg:"Malicious URL detected - Threatview";http.host;content:"79.124.59.134";http.uri;content:"j.ad";classtype:bad-url;sid:50000070;)
# Input http://81.69.96.149:8089/visit.js
alert http any 8089 -> any any (msg:"Malicious URL detected - Threatview";http.host;content:"81.69.96.149";http.uri;content:"visit.js";classtype:bad-url;sid:50000071;
)
However, somehow this rules are not triggering when they were supposed to trigger. Can someone help me figuring out why or maybe test is they are really working?
You need to flip the http ports to the destination part of the rule, example:
alert http any any → any 80 ………
This is because you are trying to detect the url, which is in the http request, in the http request packets the source port is normally random and the destination is fixed (eg: 80, 8080).