Re: content rule

[Matt Kettler <mkettler () evi-inc com>]

Yes, that's roughly legal to do.. What was your question/problem relating 
to this rule?

at an eyball scan for problems, since you didn't really state your problem:

Your first content would appear to not be a whole number of bytes... are 
you sure that's what you wanted, or is a digit missing? (AB432CDEF is 4.5 
bytes long.)

I'd also be wary of your depth specifier.. I think that would require 
*both* content strings to start within the first 5 bytes of the packet, but 
each of those strings is >4 bytes long, making that impossible.

Also will both of these content patterns happen in the same tcp segment, or 
burst of segments that stream4 can handle?





At 10:21 PM 12/3/2002 -0200, Aditya () directnet com br wrote:
> I need to capture two contents, one content depends on the other....
> like this
> alert tcp any any -> 192.168.1.0/24 80
> (content: "|AB432CDEF|";content: " |1AC2FEB345|";depth: 5;
> msg: "malicious activity")
>
>
> Only the combination of these two generate malicious activity
>
>
> Any ideas?



-------------------------------------------------------
This SF.net email is sponsored by: Microsoft Visual Studio.NET 
comprehensive development tool, built to increase your 
productivity. Try a free online hosted session at:
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users