[Snort-devel] content-list

Martin Roesch roesch at ...402...
Sun May 6 22:12:24 EDT 2001


Fixed and committed.  Interesting, this code appears to have never
worked at all, can't understand why nobody ever tested or noticed it
(esp. it's original author).

   -Marty


Brian Caswell wrote:
> 
> content-list is broken (1.7 and -CURRENT)  Only the last thing in the
> content-list is searched during the packet searching phase.
> 
> Specific example:
> 
> alert tcp any any -> any 21 (msg:"FTP TRANSFER";
> content-list:"./ftp-transfer.list"; flags:A+;)
> 
> $ cat ftp-transfer.list
> APPE
> STOR
> STOU
> RETR
> $
> 
> Only the last element of the list is searched.  In this case, RETR.
> 
> -brian
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net


> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list