Snort mailing list archives
Fwd: Problem with Content rule option
From: Mark Greenman <mark.greenman.014 () gmail com>
Date: Sat, 20 Dec 2014 09:19:26 +0330
Here are the rule set, snort.conf file and a pcap file for a simple experiment. Please tell me if there are any problems. Thanks ---------- Forwarded message ---------- From: Joel Esler (jesler) <jesler () cisco com> Date: Thu, Dec 18, 2014 at 3:17 PM Subject: Re: [Snort-users] Problem with Content rule option To: Mark Greenman <mark.greenman.014 () gmail com> https://snort.org/faq/what-is-the-mailing-list-etiquette #4 -- *Joel Esler* Sent from my iPhone On Dec 18, 2014, at 2:25 AM, Mark Greenman <mark.greenman.014 () gmail com> wrote: Thanks for answering Joel. I have attached the local.rules, snort.conf and a pcap file with this email. The pcap file has been captured with Wireshark listening on the internet interface in the client host. On Thu, Dec 18, 2014 at 9:14 AM, Joel Esler (jesler) <jesler () cisco com> wrote:
Perhaps a sample packet capture, rule, and snort.conf? -- *Joel Esler* Sent from my iPhone On Dec 17, 2014, at 11:04 PM, Mark Greenman <mark.greenman.014 () gmail com> wrote: Hi. I am new to snort. I want to use content rule option to execute some actions based on the content of the http response message (the payload). But, it can not work properly. For example, if I want to replace some word with another, the detection engine can detect some words in the http response message but can not some of the same words in the same message. Sometimes it can't even detect a single word. The problem is that it works properly for the content of the http header. Does anyone know the reason? Thanks ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! <local.rules>
<pcap-c2-nfq-replace.pcap> <snort.conf>
Attachment:
local.rules
Description:
Attachment:
pcap-c2-nfq-replace.pcap
Description:
Attachment:
snort.conf
Description:
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Problem with Content rule option Mark Greenman (Dec 17)
- Re: Problem with Content rule option Joel Esler (jesler) (Dec 17)
- Message not available
- Message not available
- Fwd: Problem with Content rule option Mark Greenman (Dec 19)
- Message not available
- Re: Problem with Content rule option Joel Esler (jesler) (Dec 17)
- Re: Problem with Content rule option waldo kitty (Dec 18)