Snort mailing list archives
Re: Content checking in Snort-2.8.3.2
From: Leon Ward <seclists () rm-rf co uk>
Date: Mon, 26 Jan 2009 09:25:24 +0000
Hello On 25 Jan 2009, at 14:25, bahamin takhtaei wrote:
Hi,I install Snort-2.8.3.2 and check some content-rules, but Snort can't match any contentwith "content-length > 2" !
Snort can match more than that, So lets change the question slightly. What are you trying to match? Got a pcap? -Leon
for example: I add these rules to local.rules:1. alert tcp any any -> any any (sid:10001001; msg:"http-th"; content:"th"; nocase;) 2. alert tcp any any -> any any (sid:10001002; msg:"http-the"; content:"the"; nocase;) 3. alert tcp any any -> any any (sid:10001003; msg:"http-hex"; content: "|20 61 6e 64 20 64 69 72|"; nocase;) 4. alert tcp any any -> any any (sid:10001004; msg:"http-hex2"; content:"|20 61|"; nocase;)-----------------------------------------------------------------------then send a http-traffic to Snort-machine that contains many "the" pattern, but only rule1 and rule4 are triggerd. Why please?Notice: my snort.conf is a sample config file that there is on snort.org.------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 25)
- Re: Content checking in Snort-2.8.3.2 Leon Ward (Jan 26)
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 26)
- Re: Content checking in Snort-2.8.3.2 Joel Esler (Jan 27)
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 27)
- Re: Content checking in Snort-2.8.3.2 Matt Watchinski (Jan 27)
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 26)
- Re: Content checking in Snort-2.8.3.2 Leon Ward (Jan 26)
- <Possible follow-ups>
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 27)
- Re: Content checking in Snort-2.8.3.2 Todd Wease (Jan 27)
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 28)
- Re: Content checking in Snort-2.8.3.2 Todd Wease (Jan 28)
- Re: Content checking in Snort-2.8.3.2 Todd Wease (Jan 27)