[Snort-devel] New feature: multi-line rules

Martin Roesch roesch at ...48...
Sat Feb 10 20:38:55 EST 2001


I came up with a pretty painless way to do multi-line rules this morning
while in the shower (aka where I do my best thinking) and I just checked
the code into CVS.  You can now have rules that look like this:

alert udp any any -> $HOME_NET 53 \
(msg:"MISC-DNS-version-query"; content:"version|04|bind|0000 1000 03";
offset: 1
2; depth: 30; nocase;)

or this:

alert udp any any -> $HOME_NET 53 \
        (msg:"IDS278 - NAMED Version Probe";\   
        content: "|07|version|04|bind|00 0010 0008|";\ 
        nocase; \
        offset: 12;\
         depth: 32;)

and it's perfectly ok.  Just remember to put a '\' at the end of the
line and Snort will automatically concatenate the lines together for the
rules parser.

     -Marty


--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list