[Snort-devel] [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine
emiliano.fausto at ...2499...
Fri Jan 10 14:09:49 EST 2014
I'm developing a preprocessor which takes extra information from a packet,
and I'd like that this info is sent to the global SNORT structure to be
used into the rules engine.
Let's suppose I have a packet with this information:
|header| payload| --> Into the Payload, I have the info: Name="John",
And I create two variables in the preprocessor called:
So, I'd like to know if someone has worked with global variables so that I
can create a new rule in SNORT which would be something like:
alert udp $EXTERNAL_NET any -> 192.168.0.10 9090 ( user_name; content:
"John"; nocase; user_surname; content: "Doe"; nocase; msg: "John Does has
logged in to the system"; sid: 12345678; rev: 1; )
Thanks in advance,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel