[Snort-devel] Re: [Snort-users] New feature: multi-line rules

Martin Roesch roesch at ...48...
Sat Feb 10 21:15:56 EST 2001


The parser is still a train wreck, it's now just a slightly more useful
train wreck. :)

Bonus points: it worked correctly the first time I compiled and ran
it.... :)

    -Marty

Jeff Nathan wrote:
> 
> Well g0d DAMN, who ever said Marty couldn't 'do' parsers?
> 
> Nice job.
> 
> -Jeff
> 
> Martin Roesch wrote:
> >
> > I came up with a pretty painless way to do multi-line rules this morning
> > while in the shower (aka where I do my best thinking) and I just checked
> > the code into CVS.  You can now have rules that look like this:
> >
> > alert udp any any -> $HOME_NET 53 \
> > (msg:"MISC-DNS-version-query"; content:"version|04|bind|0000 1000 03";
> > offset: 1
> > 2; depth: 30; nocase;)
> >
> > or this:
> >
> > alert udp any any -> $HOME_NET 53 \
> >         (msg:"IDS278 - NAMED Version Probe";\
> >         content: "|07|version|04|bind|00 0010 0008|";\
> >         nocase; \
> >         offset: 12;\
> >          depth: 32;)
> >
> > and it's perfectly ok.  Just remember to put a '\' at the end of the
> > line and Snort will automatically concatenate the lines together for the
> > rules parser.
> >
> >      -Marty
> >
> > --
> > Martin Roesch
> > roesch at ...48...
> > http://www.snort.org
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> 
> --
> http://jeff.wwti.com            (pgp key available)
> "Common sense is the collection of prejudices acquired by age eighteen."
> - Albert Einstein

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list