[Snort-devel] [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine

Emiliano Fausto emiliano.fausto at ...2499...
Fri Jan 10 14:53:33 EST 2014


hi there,

just in case. I know that I would be able to create a Detection-plugin,
like the tcpurg example. But the problem is that, I'd rather use the snort
detection engine to have the string, hex and prcre full searching features.

It would be really hard to me, to start from the scratch doing those
functionality. Instead, I'll like to take advantage of them and use them as
the http_header does for example.

Regards!
Emiliano.


2014/1/10 Emiliano Fausto <emiliano.fausto at ...2499...>

> Hi all!
>
> I'm developing a preprocessor which takes extra information from a packet,
> and I'd like that this info is sent to the global SNORT structure to be
> used into the rules engine.
>
> Let's suppose I have a packet with this information:
>
> |header| payload| --> Into the Payload, I have the info: Name="John",
> Surname="Doe".
>
> And I create two variables in the preprocessor called:
>
> user_name= payload-->Name
> user_surname= payload-->Surname
>
> So, I'd like to know if someone has worked with global variables so that I
> can create a new rule in SNORT which would be something like:
>
> alert udp $EXTERNAL_NET any -> 192.168.0.10 9090 ( user_name; content:
> "John"; nocase; user_surname; content: "Doe"; nocase; msg: "John Does has
> logged in to the system"; sid: 12345678; rev: 1; )
>
> Thanks in advance,
> Emiliano.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140110/69c62125/attachment.html>


More information about the Snort-devel mailing list