[Snort-devel] protected_content and replace?

Carter Waxman (cwaxman) cwaxman at ...3461...
Mon Oct 27 09:45:34 EDT 2014


Hi Joshua,

The replace modifier works with protected_content in the same way it works
with content. It will work with regular payload matches, but not URI/HTTP
buffer matches.

Thanks,
Carter Waxman

On 10/25/14, 11:47 PM, "Joshua Kinard" <kumba at ...2185...> wrote:

>
>I see this note in the manual for protected_content:
>
>The protected content keyword can be used with some (but not all) of the
>content modifiers. Those not
>supported include:
>nocase
>fast_pattern
>depth
>within
>
>I assume 'replace' should be on that list as well?  It's always been in a
>different section of the manual, but it seems to behave like a modifier
>keyword, since it affects the previous content match.
>
>Thanks!,
>
>-- 
>Joshua Kinard
>Gentoo/MIPS
>kumba at ...2185...
>4096R/D25D95E3 2011-03-28
>
>"The past tempts us, the present confuses us, the future frightens us.
>And our
>lives slip away, moment by moment, lost in that vast, terrible
>in-between."
>
>--Emperor Turhan, Centauri Republic
>
>--------------------------------------------------------------------------
>----
>_______________________________________________
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-devel
>Archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
>Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-devel mailing list