Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [AUTO IP] Re: Question about content

From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Tue, 01 Dec 2009 13:23:27 -0600
I saw that.  The point is, you didn't come close to answering the OP's 
question.  Forget the assumptions you made, you looked for a word 4 bytes into 
the packet.  That wasn't what he asked for.  He asked how he could find the 
pattern at_the_end_of_the_packet without knowing the packet length.

The rest is irrelevant.

--On Tuesday, December 01, 2009 11:46:04 -0600 evilghost () packetmail net wrote:



Paul, since you failed at reading comprehension, here would be the
*critical* statement I made *before* I supplied the rule, as an example
of how PCRE could be used to detect what the OP has requested:

"Making assumptions about direction, protocol, and content I would try
something like this:"

I do appreciate your gems of wisdom concerning the ip based rule.



-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson


------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: