[Snort-sigs] About content field..

Matt Kettler mkettler at ...189...
Wed Apr 7 10:09:01 EDT 2004

At 03:35 AM 4/7/2004, Anand Chiney wrote:
>While writing signatures can we use CONTENT of two different packets?
>Thks in advance

Only in some situations. However if all of the following are true, you can 
do it:
         1) you are dealing with TCP data.
         2) Stream4 is enabled with re-assembly.
         3) both TCP segments occur before any intervening acknowledgement 
is sent back from the server.

For example, in SMTP you can't do a rule that will look at both the MAIL 
FROM: and RCPT TO: commands, since the server will respond with a status 
message after the first command.

Also, keep in mind that #3 pretty much restricts you to two segments of TCP 
data which are adjacent to each other. Typically TCP stacks will send back 
ACKs every other data packet, so you can't look for two content strings 
that are separated by 20kb of data in a single rule. If you have to do 
something like that, consider looking at the tagging feature to cascade two 
rules together. I've not done it myself, but I've heard this feature works 
for this kind of thing. 

More information about the Snort-sigs mailing list