[Snort-sigs] question about content

Steven Alexander alexander.s at ...1565...
Wed Jul 9 08:44:12 EDT 2003


As I understand it: depth only modifies the preceding content option, in
this case 'content:"M-SEARCH "'.  The second content option should
search the rest of the payload if the first is matched.

-steven

SID 1917:
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SCAN UPnP service
discover attempt"; content:"M-SEARCH "; offset:0; depth:9;
content:"ssdp\:discover"; classtype:network-scan; sid:1917; rev:4;) 

-----Original Message-----
From: karim hassib [mailto:k_hassib at ...12...] 
Sent: Tuesday, July 08, 2003 10:28 PM
To: snort-sigs at ...198...
Subject: [Snort-sigs] question about content


hi 
question about the content field in signatures:

from what i undestand that :
-single content means search for this content in payload
-content list means search for any one of these contents
-multiple contents means look for all of them at same time in spayload

now is it possible to have a signature with two contents one is 13
characters long and the other 9 and i have a depth field of 9?
how does this work

i am refering to SID: 1917
thanks for your time




Help STOP SPAM with the new MSN 8 and get 2 months FREE*
------------------------------------------------------- This SF.Net
email sponsored by: Parasoft Error proof Web apps, automate testing &
more. Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
_______________________________________________ Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs 




More information about the Snort-sigs mailing list