Re: Fwd: [snort-user] About packet content

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

Maybe some sort of "racial profiling" for packets? ;) 

I think that maybe the Mayur might mean, what are the structures that we're looking at?  If so, that's the packet 
structure itself, and then the structure of any application data riding on top of those.  You need to do some research 
if you are expecting to write rules to detect anomalies and attacks in those structures.

If that's not what you meant, then maybe you are looking more for anomaly detection or similar, which I don't think 
Snort really does particularly.


-----Original Message-----
From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Friday, September 06, 2013 6:00 AM
To: Mayur Patil
Cc: snort-users () lists sourceforge net; Bill Parker
Subject: Re: [Snort-users] Fwd: [snort-user] About packet content

So, you are asking if we can know the content of the traffic, before the traffic arrives?

On Fri, Sep 6, 2013 at 1:52 AM, Mayur Patil <ram.nath241089 () gmail com> wrote:
> hello,
>
>       I have one question might be foolish......
>
>       In snort rule we define content for packets
>
>       like content:|00 36 90 23 08|
>
>       is there anyway to know what content does incoming data is 
> having
>
>       before attack is performed ? Any prototype which defines 
> specific structure ?
>
>       Seeking for guidance,
>
>       Thanks !
> --
> Cheers,
> Mayur.
>
>
> ----------------------------------------------------------------------
> -------- Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 
> 2012, more!
> Discover the easy way to master current and previous Microsoft 
> technologies and advance your career. Get an incredible 1,500+ hours 
> of step-by-step tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.c
> lktrk _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!



--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 
1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!