Re: protected_content and replace?

["Carter Waxman (cwaxman)" <cwaxman () cisco com>]

Hi Joshua,

The replace modifier works with protected_content in the same way it works
with content. It will work with regular payload matches, but not URI/HTTP
buffer matches.

Thanks,
Carter Waxman

On 10/25/14, 11:47 PM, "Joshua Kinard" <kumba () gentoo org> wrote:

> I see this note in the manual for protected_content:
>
> The protected content keyword can be used with some (but not all) of the
> content modifiers. Those not
> supported include:
> nocase
> fast_pattern
> depth
> within
>
> I assume 'replace' should be on that list as well?  It's always been in a
> different section of the manual, but it seems to behave like a modifier
> keyword, since it affects the previous content match.
>
> Thanks!,
>
> -- 
> Joshua Kinard
> Gentoo/MIPS
> kumba () gentoo org
> 4096R/D25D95E3 2011-03-28
>
> "The past tempts us, the present confuses us, the future frightens us.
> And our
> lives slip away, moment by moment, lost in that vast, terrible
> in-between."
>
> --Emperor Turhan, Centauri Republic
>
> --------------------------------------------------------------------------
> ----
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!