Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rules with multiple contents specified

From: Alejandro Flores <alejandro.flores () triforsec com br>
Date: Mon, 05 Apr 2004 14:25:11 -0300
        hello,

        Payload: "uid=48(apache) gid=48(web)"
        (You must set this to the corresponding group your webserver is running
to)
        If it finds the pattern 'uid=' it will continue searching until it
finds '(web)'. If it find both, then the event is fired.
        The rule options are checked as a large logical and, and they are
checked sequentially.


Regards,
Alejandro Flores



Hi,

I am new to the snort. Can some one tell me when multiple contents are 
specified in a rule as in the following rule, what does it mean? Does it 
mean that all the contents MUST be matched and does it also mean that they 
should be in the same sequence as specified in the rule or the sequencing 
does not matter (for e.g for the following rule, "uid=" and "(web)" should 
they be in the same sequence or "(web)" can be before "uid=".

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK 
RESPONSES id check returned web"; flow:from_server,established; 
content:"uid="; content:"(web)"; classtype:bad-unknown; sid:1884; rev:2;)

Thanks
GM

_________________________________________________________________
Apply now for a Citibank Suvidha Account.  
http://go.msnserver.com/IN/45532.asp Get a FREE Citibank Picture Card .



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






--TriForSec
http://www.triforsec.com.br/
Previous By Date Next
Previous By Thread Next

Current thread: