Re: help with rules - data capturing

["Timothy Ding" <iolabs () gmail com>]

many thanks for the reply Paul, i still don't get any results from the rule,
could it possibly be the version of snort (ver 2.3.3) that i am using?

Regards,
Tim

> I think it should work pretty much as-is, but here is how I would
> write the rule:
>
> alert tcp any any -> $HOME_NET 13001 (msg: "GPRMC found in packet"; \
> flow:to_server,established; content:"|24|GPRMC"; nocase; sid:9999000;)
>
> Use the flow: directive to only analyze packets that are in-state for
> the connection described.  I also hexified the $ in $GPRMC just to be
> safe.  That way it doesn't get treated like a variable by anything
> that parses that rule.  And then use some non-published sid value so
> that if you're using BASE, SGUIL, or something else that lets you
> search/sort by sid values, you can access it.
>
> PaulM
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users