[Snort-sigs] About content field..
mkettler at ...189...
Wed Apr 7 10:09:01 EDT 2004
At 03:35 AM 4/7/2004, Anand Chiney wrote:
>While writing signatures can we use CONTENT of two different packets?
>Thks in advance
Only in some situations. However if all of the following are true, you can
1) you are dealing with TCP data.
2) Stream4 is enabled with re-assembly.
3) both TCP segments occur before any intervening acknowledgement
is sent back from the server.
For example, in SMTP you can't do a rule that will look at both the MAIL
FROM: and RCPT TO: commands, since the server will respond with a status
message after the first command.
Also, keep in mind that #3 pretty much restricts you to two segments of TCP
data which are adjacent to each other. Typically TCP stacks will send back
ACKs every other data packet, so you can't look for two content strings
that are separated by 20kb of data in a single rule. If you have to do
something like that, consider looking at the tagging feature to cascade two
rules together. I've not done it myself, but I've heard this feature works
for this kind of thing.
More information about the Snort-sigs