Snort mailing list archives
Re: Question (about Content-List)
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 13 Mar 2003 13:43:15 -0500
The docs are ambiguous about this, but they do state that nocase is a modifier to a "content" command. It says nothing about it affecting content-list.
The documentation for the Content-list command states:"... they are treated otherwise identically to content strings specified as an argument to a standard content directive."
Of course, by standard do they mean "with no modifiers" or "behaves the same way and can use modifiers"...
Personally, I suspect that Content-list is forced to be a series of Content: specifiers with no modifiers. You'd have to look at the code to be sure, or get a response from someone familiar with that part of the code.
Also, if nobody on the list responds with an answer, perhaps you should consider revising your message and posting with a useful subject, instead of re-posting the identical question, with the same vague subject.
Many of the "advanced" users on this list skim subjects in their mailbox and only open messages with subjects related to topics they know about. Personally, I skim subject lines, and randomly open 10% of emails with subjects that don't indicate what the email is about. I get on average 288 emails a day (according to my Eudora statistics), I can't read them all, and I'm probably not unique in that.
At 06:38 PM 3/13/2003 +0100, Corrado Federici wrote:
Hi It seems to me that the keyword 'nocase' is uneffective when present in rule where also 'content-list' is present. E.G. A line like this: log tcp any any -> any 25 (content-list: "content.txt "; nocase;) only logs if file content.txt contains a word that exactly matches the one sniffed by Snort. Can anyone confirm/deny? Thanks . Corrado Federici Snort beginner. ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- question Jose Ramon Hernandez Macias (Mar 05)
- Re: question Erek Adams (Mar 05)