[Snort-devel] [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine

Emiliano Fausto emiliano.fausto at ...2499...
Fri Jan 10 14:09:49 EST 2014


Hi all!

I'm developing a preprocessor which takes extra information from a packet,
and I'd like that this info is sent to the global SNORT structure to be
used into the rules engine.

Let's suppose I have a packet with this information:

|header| payload| --> Into the Payload, I have the info: Name="John",
Surname="Doe".

And I create two variables in the preprocessor called:

user_name= payload-->Name
user_surname= payload-->Surname

So, I'd like to know if someone has worked with global variables so that I
can create a new rule in SNORT which would be something like:

alert udp $EXTERNAL_NET any -> 192.168.0.10 9090 ( user_name; content:
"John"; nocase; user_surname; content: "Doe"; nocase; msg: "John Does has
logged in to the system"; sid: 12345678; rev: 1; )

Thanks in advance,
Emiliano.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140110/cbe84976/attachment.html>


More information about the Snort-devel mailing list