[Snort-devel] protected_content and replace?

Carter Waxman (cwaxman) cwaxman at ...3461...
Mon Oct 27 09:45:34 EDT 2014

Hi Joshua,

The replace modifier works with protected_content in the same way it works
with content. It will work with regular payload matches, but not URI/HTTP
buffer matches.

Carter Waxman

On 10/25/14, 11:47 PM, "Joshua Kinard" <kumba at ...2185...> wrote:

>I see this note in the manual for protected_content:
>The protected content keyword can be used with some (but not all) of the
>content modifiers. Those not
>supported include:
>I assume 'replace' should be on that list as well?  It's always been in a
>different section of the manual, but it seems to behave like a modifier
>keyword, since it affects the previous content match.
>Joshua Kinard
>kumba at ...2185...
>4096R/D25D95E3 2011-03-28
>"The past tempts us, the present confuses us, the future frightens us.
>And our
>lives slip away, moment by moment, lost in that vast, terrible
>--Emperor Turhan, Centauri Republic
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
>Please visit http://blog.snort.org for the latest news about Snort!

More information about the Snort-devel mailing list