[Snort-sigs] Grabbing more content

Paul Schmehl pauls at ...1311...
Tue Feb 14 10:39:01 EST 2006


Is there a modifier that can be used to capture more of the content after a 
content keyword?  I have some rules that look like this, in part:

content:"{16 digit num}; content:"pass";

I'd like to capture more of the data after "pass".  Is there a way to do 
that?

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/




More information about the Snort-sigs mailing list