[snort-devel] Creating a new variable into a preprocessor and using it in the rules engine

[Emiliano Fausto <emiliano.fausto () gmail com>]

Hi all!

I'm developing a preprocessor which takes extra information from a packet,
and I'd like that this info is sent to the global SNORT structure to be
used into the rules engine.

Let's suppose I have a packet with this information:

|header| payload| --> Into the Payload, I have the info: Name="John",
Surname="Doe".

And I create two variables in the preprocessor called:

user_name= payload-->Name
user_surname= payload-->Surname

So, I'd like to know if someone has worked with global variables so that I
can create a new rule in SNORT which would be something like:

alert udp $EXTERNAL_NET any -> 192.168.0.10 9090 ( user_name; content:
"John"; nocase; user_surname; content: "Doe"; nocase; msg: "John Does has
logged in to the system"; sid: 12345678; rev: 1; )

Thanks in advance,
Emiliano.

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!