[Snort-devel] content-list

Brian Caswell bmc at ...227...
Thu May 3 01:50:02 EDT 2001


content-list is broken (1.7 and -CURRENT)  Only the last thing in the
content-list is searched during the packet searching phase.  

Specific example:

alert tcp any any -> any 21 (msg:"FTP TRANSFER";
content-list:"./ftp-transfer.list"; flags:A+;)

$ cat ftp-transfer.list
APPE
STOR
STOU
RETR
$

Only the last element of the list is searched.  In this case, RETR.

-brian




More information about the Snort-devel mailing list