Snort mailing list archives

Re: Content list 2

From: "larc" <larc () pandora be>
Date: Thu 05 Dec 2002 18:11:05 +0100

Hi,

alert tcp any any -> 150.163.18.13 any (content:"|CAFEBABE|";\ content:"|AB3FFC0B|"; \nocase; msg:"Fake Stuff";)
alert tcp any any -> 150.163.18.13 any \ 
(content: "|CAFEBABE|";\nocase; msg:"Cool Stuff";)
It doesn´t acuse no error , snort understands the rules, but my alerts 
or not generated


Why do you use 'nocase' after content when the content is in HEX ?
Try the rule without 'nocase'


Stefan D.
------------------------
 Aditya () directnet com br wrote:
------------------------
Hi Friends


Hi Matt Kettler you were right about contents they real do AND 

operations :)
I was mistaken. But now i have another doubt, inside my snort.conf 
file 

i just included directly these two rules

alert tcp any any -> 150.163.18.13 any 

(content: "|CAFEBABE|";\content: "|AB3FFC0B|"; 
\
nocase; msg:"Fake Stuff";)
alert tcp any any -> 150.163.18.13 any \ 

(content: "|CAFEBABE|";\nocase; msg:"Cool Stuff";
)

It doesn´t acuse no error , snort understands the rules, but my ale
rts 

or not generated, I want to know were I am wrong, if you or someone e
lse
could help me  please!!!

The funny thing is when i use an activate dynamic rule the alert is 

generated, like this one

activate tcp any any -> 150.163.18.13 any (content: "|CAFEB
ABE|";\ 

activates: 1; nocase; msg:"Cool Stuff";)
dynamic tcp any any -> 150.163.18.13 any (activated_by: 1; 
count: 10;)

Aditya
INPE- Brazilian Space Research Center





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Content list 2 Aditya (Dec 05)
- Re: Content list 2 Matt Kettler (Dec 05)
- <Possible follow-ups>
- Re: Content list 2 larc (Dec 09)