Snort mailing list archives
Re: Creating a simple rule.
From: snort user <snort.user () gmail com>
Date: Sat, 19 Nov 2005 15:39:56 -0500
06 bb 09 75 74 0c e2 c4 00 00 00 00 50 04 00 00 d4 4a 00
Is that the TCP/UDP payload data ? If so, the alert should have triggered. If not, no. Please provide the alert rule that you have created and the complete packet data including ip headers and tcp/udp headers and payload. On 11/19/05, Paul Halliday <paul.halliday () gmail com> wrote:
I am just trying to make a couple simple rules but they fail to fire. Can someone just clarify this: I am looking at a TCP packet with ethereal that looks like this: 06 bb 09 75 74 0c e2 c4 00 00 00 00 50 04 00 00 d4 4a 00 I want the rule to fire on the pattern 00 50 04 I have a rule that looks like: content:"|00 50 04|" yet it doesnt fire. Is there something that I have missed? Thanks. ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_idv28&alloc_id845&opclick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?listsnort-users
Current thread:
- Creating a simple rule. Paul Halliday (Nov 19)
- Re: Creating a simple rule. Jason Brvenik (Nov 19)
- Re: Creating a simple rule. Paul Halliday (Nov 19)
- Re: Creating a simple rule. snort user (Nov 19)
- Re: Creating a simple rule. Jason Brvenik (Nov 19)
- Re: Creating a simple rule. Paul Halliday (Nov 19)
- Re: Creating a simple rule. snort user (Nov 19)
- Re: Creating a simple rule. Jason Brvenik (Nov 19)