[Snort-devel] [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine

Emiliano Fausto emiliano.fausto at ...2499...
Fri Jan 10 14:09:49 EST 2014

Hi all!

I'm developing a preprocessor which takes extra information from a packet,
and I'd like that this info is sent to the global SNORT structure to be
used into the rules engine.

Let's suppose I have a packet with this information:

|header| payload| --> Into the Payload, I have the info: Name="John",

And I create two variables in the preprocessor called:

user_name= payload-->Name
user_surname= payload-->Surname

So, I'd like to know if someone has worked with global variables so that I
can create a new rule in SNORT which would be something like:

alert udp $EXTERNAL_NET any -> 9090 ( user_name; content:
"John"; nocase; user_surname; content: "Doe"; nocase; msg: "John Does has
logged in to the system"; sid: 12345678; rev: 1; )

Thanks in advance,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140110/cbe84976/attachment.html>

More information about the Snort-devel mailing list