RE: RE: [Snort-users] pcre usage for inline

["Jeff Dell" <jdell () activeworx com>]

You are correct...

http://www.snort.org/docs/snort_htmanuals/htmanual_233/node7.html#SECTION002
53000000000000000

<snip>
The only catch is that the replace must be the same length as the content. 
</snip>

Cheers,
Jeff 

> -----Original Message-----
> From: Joshua Berry [mailto:jberry () PENSON COM] 
> Sent: Wednesday, June 15, 2005 4:36 PM
> To: Jeff Dell; Joel Esler; Snort Users; 
> snort-inline-users-request () lists sourceforge net; snort-sigs 
> mailinglist
> Subject: RE: [Snort-sigs] RE: [Snort-users] pcre usage for inline
>
> If I remember correctly, the replacing content must be the exact same
> size as the original content being replaced.  This makes the 
> replacement
> code of limited value. Example:
>
> alert tcp any any <> any 80 (msg: "change stuff"; content:"stuff";
> replace:"thing";)
>
> The replace tag would be able to use any content that was 5 characters
> (such as "thing") because the original content is 5 characters.   
>
> -----Original Message-----
> From: snort-sigs-admin () lists sourceforge net
> [mailto:snort-sigs-admin () lists sourceforge net] On Behalf Of Jeff Dell
> Sent: Wednesday, June 15, 2005 3:29 PM
> To: 'Joel Esler'; 'Snort Users';
> snort-inline-users-request () lists sourceforge net; 'snort-sigs
> mailinglist'
> Subject: [Snort-sigs] RE: [Snort-users] pcre usage for inline
>
> Donno about pcre, but you can do this with snort inline:
>
> alert tcp any any <> any 80 (msg: "change stuff"; content:"stuff";
> replace:"newstuff";) 
>
> Jeff
>
> > -----Original Message-----
> > From: snort-users-admin () lists sourceforge net 
> > [mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
> > Joel Esler
> > Sent: Wednesday, June 15, 2005 4:25 PM
> > To: Snort Users; 
> > snort-inline-users-request () lists sourceforge net; snort-sigs 
> > mailinglist
> > Subject: [Snort-users] pcre usage for inline
> >
> > Just wondering, since we have the ability to modify items 
> with regular
> > expressions...  can it be done in a snort rule?  like..
> >
> > pcre:"s/stuff/newstuff/";
> >
> > just a thought..  be able to modify actual data on the fly...
> >
> > J
> >
> >
> > -------------------------------------------------------
> > SF.Net email is sponsored by: Discover Easy Linux Migration 
> Strategies
> > from IBM. Find simple to follow Roadmaps, straightforward articles,
> > informative Webcasts and more! Get everything you need to get up to
> > speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=ick
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=ort-users
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=ick
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users