[Snort-devel] Re: [Snort-users] New feature: multi-line rules

Jeff Nathan jeff at ...271...
Sat Feb 10 21:05:19 EST 2001


Well g0d DAMN, who ever said Marty couldn't 'do' parsers?

Nice job.

-Jeff

Martin Roesch wrote:
> 
> I came up with a pretty painless way to do multi-line rules this morning
> while in the shower (aka where I do my best thinking) and I just checked
> the code into CVS.  You can now have rules that look like this:
> 
> alert udp any any -> $HOME_NET 53 \
> (msg:"MISC-DNS-version-query"; content:"version|04|bind|0000 1000 03";
> offset: 1
> 2; depth: 30; nocase;)
> 
> or this:
> 
> alert udp any any -> $HOME_NET 53 \
>         (msg:"IDS278 - NAMED Version Probe";\
>         content: "|07|version|04|bind|00 0010 0008|";\
>         nocase; \
>         offset: 12;\
>          depth: 32;)
> 
> and it's perfectly ok.  Just remember to put a '\' at the end of the
> line and Snort will automatically concatenate the lines together for the
> rules parser.
> 
>      -Marty
> 
> --
> Martin Roesch
> roesch at ...48...
> http://www.snort.org
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein




More information about the Snort-devel mailing list