Re: Anyone know how to use the content:! rule and replace in snort_inline?

[Frank Knobbe <frank () knobbe us>]

On Mon, 2006-04-24 at 22:23 +0000, John Smith wrote:
> and replaces the fixed string...so shouldn't I be able to do something like:
> pass icmp any any <> any any (content:!"|ff ff ff...|"; replace:"000...";)
>
> and then it will see that the content is NOT ff ff ff (it's 08 09 0a)
> and replace it the same way it did with the first rule? Of course this
> didn't work so I would appreciate it if someone could tell me where
> I'm going wrong.

You used a "pure not rule". You can not use a rule that only has a
content:!"blah" in it. You can use negated content matches only after a
positive content match (ie content:"blah"; content:!"blahoney";)

> Is it even possible to check if content is NOT some known good pattern
> and then replace anything except that?

heh... what is a NOT known good pattern? Could you write one? :)  Snort
can only match on content, not on NOT-content along, much like the
absence of content. The not-content rule can only be used in conjunction
with a content rule.

Regards,
Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part