Snort mailing list archives
Re: Problem with Content rule option
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 18 Dec 2014 05:33:21 -0500
On 12/17/2014 11:01 PM, Mark Greenman wrote:
Hi. I am new to snort. I want to use content rule option to execute some actions based on the content of the http response message (the payload). But, it can not work properly. For example, if I want to replace some word with another, the
are you saying that you want to detect something like "cockerel" and replace it with "####erel"? eg: in the traffic stream: He's a cockerel! would be changed to : He's a ####erel!
detection engine can detect some words in the http response message but can not some of the same words in the same message. Sometimes it can't even detect a single word. The problem is that it works properly for the content of the http header. Does anyone know the reason?
it could be that the content is being split over packets and not being
reassembled for detection... it could be that you're looking in the wrong
buffer... there's several other things it could be, too...
post the rule so more eyes can see it and possibly find something off in it...
--
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Problem with Content rule option Mark Greenman (Dec 17)
- Re: Problem with Content rule option Joel Esler (jesler) (Dec 17)
- Message not available
- Message not available
- Fwd: Problem with Content rule option Mark Greenman (Dec 19)
- Message not available
- Re: Problem with Content rule option Joel Esler (jesler) (Dec 17)
- Re: Problem with Content rule option waldo kitty (Dec 18)