Snort mailing list archives
Re: multiple content matches
From: Ashley Thomas <athomas () cc gatech edu>
Date: Wed, 19 Feb 2003 14:43:44 -0500
Here is one from rpc.rules which has 2 'content' options and respective 'offset' and 'depth'
rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt"; flow:to_server,established; content:"|0000 0f9c|"; offset:0; depth:4; content:"|00018799|"; offset: 16; depth:4; reference:bugtraq,2417; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:5;)
Travis S. wrote:
Can Snort handle checking a single packet against 3 or more content strings to generate an alert? For example, I want to check for string A at offset 1, string B at offset 43 and string C at offset 76 all within the same packet. I didn't see anything about this in the docs. Thanks, Travis ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Ashley Thomas Research scientist College of Computing Georgia Tech ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- multiple content matches Travis S. (Feb 19)
- Re: multiple content matches Ashley Thomas (Feb 19)
- Re: multiple content matches Erek Adams (Feb 19)
- Re: multiple content matches Chris Green (Feb 19)
- <Possible follow-ups>
- Re: multiple content matches Margles Singleton (Feb 19)