Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: multiple content matches

From: Erek Adams <erek () snort org>
Date: Wed, 19 Feb 2003 14:46:52 -0500 (EST)
On Wed, 19 Feb 2003, Travis S. wrote:


Can Snort handle checking a single packet against 3 or more content
strings to generate an alert?  For example, I want to check for string A
at offset 1, string B at offset 43 and string C at offset 76 all within
the same packet.


Yes.  Use 'distance' and 'within'.  You'll also want to use the latest CVS
snapshot that had some fixes for these keywords.


I didn't see anything about this in the docs.


It's not there.  It was just added and has yet to be placed in the manual.
Check this instead:

        http://marc.theaimsgroup.com/?l=snort-users&m=103334784719103&w=2

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: