Snort mailing list archives
smtp preprocessor buffers and content modifiers
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Wed, 08 Jun 2011 17:46:59 +0000
Reading through the Snort user guides and was wondering about the smtp_preprocessors various buffers and why they cannot be used as a content modifier much like http_* options? This could be helpful with writing signatures. It looks like the smtp_preprocessor currently creates/inspects certain things and checks them for length or the content of them. If people could use things like: smtp_command_line smtp_header_line smtp_response_line smtp_cmds Not sure if smtp_response_line contains the "response code" and the "response code parameter" as they are known when you parse SMTP traffic with say wireshark. I would be cool to be able to have these though: smtp_response_code smtp_response_parameter I was wondering if these or something like them even already existed? There appears to be some crossover between the http and smtp inspect preprocessors with use of the file_data content modifier. It would seem weird to not have the smtp buffers available for checking with rules when the http ones are? -- Eoin ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- smtp preprocessor buffers and content modifiers Eoin Miller (Jun 08)