[Snort-devel] RFC - XML Rules definition question?

tlewis at ...255... tlewis at ...255...
Wed Jan 9 21:42:02 EST 2002


On Thu, 10 Jan 2002 tlewis at ...255... wrote:

> <rule>
>    <report>ICMP PING NMAP</report>
>    <match>
>       <AND>
>          <PRIM proto="icmp" field="payload" op="=">4</PRIM>
>          <PRIM proto="icmp" field="type" op="=">8</PRIM>
>          <PRIM proto="icmp" field="content" op="=">0</PRIM>
>       </AND>
>    </match>
> </rule>

Woops!  That last match was superfluous (and wrong); it should have been:

<rule>
    <report>ICMP PING NMAP</report>
    <match>
       <AND>
          <PRIM proto="icmp" field="payload" op="=">4</PRIM>
          <PRIM proto="icmp" field="type" op="=">8</PRIM>
       </AND>
    </match>
</rule>

That's what I get for writing rules by hand.  8^)

--
Todd Lewis
tlewis at ...255...

Q: How many marxists does it take to screw in a lightbulb?
A: None - the bulb contains the seeds of its own revolution. 





More information about the Snort-devel mailing list