Snort mailing list archives
Re: Rules Question
From: "Jon Baer" <security () jonbaer net>
Date: Tue, 5 Aug 2003 21:08:04 -0700
the only way to verify is to create the dirty packet + send it yourself ... i tend to use hex2bin (to create the payload) + nemesis (to send the payload) for this ... i guess there are many other ways ... echo "3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65" | hex2bin -o payload | nemesis -S 10.10.10.10 -D 192.168.0.100 -P payload - jon pgp key: http://www.jonbaer.net/jonbaer.asc fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47 ----- Original Message ----- From: Stevo To: snort-users () lists sourceforge net Sent: Tuesday, August 05, 2003 5:34 PM Subject: Re: [Snort-users] Rules Question Also, is there a way to verify the rules once you have created them?? ----- Original Message ----- From: Stevo To: snort-users () lists sourceforge net Sent: Tuesday, August 05, 2003 5:13 PM Subject: [Snort-users] Rules Question I'm creating some new rules to use... I'm looking for certain keywords in packets and have got the rule working, but I'm interested in seeing more of the Payload... right now I'm just getting the line that includes that keyword... how can I tell ACID to show me 10 lines on either side of the keyword for example?? Stevo
Current thread:
- Rules Question Stevo (Aug 05)
- Re: Rules Question Stevo (Aug 05)
- Re: Rules Question Jon Baer (Aug 05)
- Re: Rules Question Erek Adams (Aug 06)
- Re: Rules Question Jon Baer (Aug 06)
- Re: Rules Question Stevo (Aug 06)
- Re: Rules Question Erek Adams (Aug 06)
- <Possible follow-ups>
- RE: Rules Question Nelson, Ben (Aug 05)
- RE: Rules Question Nelson, Ben (Aug 05)
- Re: Rules Question Stevo (Aug 05)