Snort mailing list archives
Re: file_data entry in snort manual
From: Bhagya Bantwal <bbantwal () sourcefire com>
Date: Tue, 10 Aug 2010 10:35:37 -0400
On Mon, Aug 9, 2010 at 11:53 PM, Will Metcalf <william.metcalf () gmail com>wrote:
From the snort manual (note "This option option" typo).... Hmm Ithink this example is a bit weird, it shows an example that will match from the beginning of the payload and is no way relative to setting the inspection pointer at the start of file_data so what is the point ;-)?
In case of HTTP decompression, file_data will point to the decode buffer which will have the decompressed data. In this case pcre searches the decode buffer rather than the packet payload. Hence the example is valid for this scenario. But I agree the example suggested is a better one.
"This option matches if there is HTTP response body or SMTP body. This option option will operate similarly to the dce stub data option added with DCE/RPC2, in that it simply sets a reference for other relative rule options ( byte test, byte jump, pcre) to use. This file data can point to either a file or a block of data.
Typo will be fixed. -B
Example alert tcp any any -> any any(msg:"foo at the start of the payload"; file_data; pcre:"/foo/i";)" Perhaps this should be something like.... alert tcp any 80 -> any any(msg:"foo at the start of http response body"; file_data; content:"foo"; nocase; within:3;) Regards, Will ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- file_data entry in snort manual Will Metcalf (Aug 09)
- Re: file_data entry in snort manual Bhagya Bantwal (Aug 10)
- Re: file_data entry in snort manual Will Metcalf (Aug 10)
- Re: file_data entry in snort manual Bhagya Bantwal (Aug 10)
- Re: file_data entry in snort manual Will Metcalf (Aug 10)
- Re: file_data entry in snort manual Bhagya Bantwal (Aug 10)