[Snort-sigs] Grabbing more content

Erik Fichtner emf at ...3056...
Tue Feb 14 10:51:06 EST 2006


Paul Schmehl wrote:
> Is there a modifier that can be used to capture more of the content
> after a content keyword?  I have some rules that look like this, in part:
> 
> content:"{16 digit num}; content:"pass";
> 
> I'd like to capture more of the data after "pass".  Is there a way to do
> that?

Sounds like you want "tag"


-- 
Erik Fichtner; Unix Ronin

"Mathematics is something best shared between consenting adults
in the privacy of their own office" - Adam O'Donnell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 253 bytes
Desc: OpenPGP digital signature
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20060214/675db1e2/attachment.sig>


More information about the Snort-sigs mailing list