[Snort-sigs] RE: [Snort-users] pcre usage for inline

Jeff Dell jdell at ...178...
Wed Jun 15 13:40:19 EDT 2005


You are correct...

http://www.snort.org/docs/snort_htmanuals/htmanual_233/node7.html#SECTION002
53000000000000000

<snip>
The only catch is that the replace must be the same length as the content. 
</snip>

Cheers,
Jeff 

> -----Original Message-----
> From: Joshua Berry [mailto:jberry at ...2562...] 
> Sent: Wednesday, June 15, 2005 4:36 PM
> To: Jeff Dell; Joel Esler; Snort Users; 
> snort-inline-users-request at lists.sourceforge.net; snort-sigs 
> mailinglist
> Subject: RE: [Snort-sigs] RE: [Snort-users] pcre usage for inline
> 
> If I remember correctly, the replacing content must be the exact same
> size as the original content being replaced.  This makes the 
> replacement
> code of limited value. Example:
> 
> alert tcp any any <> any 80 (msg: "change stuff"; content:"stuff";
> replace:"thing";)
> 
> The replace tag would be able to use any content that was 5 characters
> (such as "thing") because the original content is 5 characters.   
> 
> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Jeff Dell
> Sent: Wednesday, June 15, 2005 3:29 PM
> To: 'Joel Esler'; 'Snort Users';
> snort-inline-users-request at lists.sourceforge.net; 'snort-sigs
> mailinglist'
> Subject: [Snort-sigs] RE: [Snort-users] pcre usage for inline
> 
> Donno about pcre, but you can do this with snort inline:
> 
> alert tcp any any <> any 80 (msg: "change stuff"; content:"stuff";
> replace:"newstuff";) 
> 
> Jeff
> 
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net 
> > [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> > Joel Esler
> > Sent: Wednesday, June 15, 2005 4:25 PM
> > To: Snort Users; 
> > snort-inline-users-request at lists.sourceforge.net; snort-sigs 
> > mailinglist
> > Subject: [Snort-users] pcre usage for inline
> > 
> > Just wondering, since we have the ability to modify items 
> with regular
> > expressions...  can it be done in a snort rule?  like..
> > 
> > pcre:"s/stuff/newstuff/";
> > 
> > just a thought..  be able to modify actual data on the fly...
> > 
> > J
> > 
> > 
> > -------------------------------------------------------
> > SF.Net email is sponsored by: Discover Easy Linux Migration 
> Strategies
> > from IBM. Find simple to follow Roadmaps, straightforward articles,
> > informative Webcasts and more! Get everything you need to get up to
> > speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=ick
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=ort-users
> > 
> 
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=ick
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 






More information about the Snort-sigs mailing list