[Snort-sigs] Grabbing more content

Paul Schmehl pauls at ...1311...
Tue Feb 14 13:54:02 EST 2006


--On Tuesday, February 14, 2006 13:49:47 -0500 Erik Fichtner 
<emf at ...3056...> wrote:

> Paul Schmehl wrote:
>> Is there a modifier that can be used to capture more of the content
>> after a content keyword?  I have some rules that look like this, in part:
>>
>> content:"{16 digit num}; content:"pass";
>>
>> I'd like to capture more of the data after "pass".  Is there a way to do
>> that?
>
> Sounds like you want "tag"
>
No, I want to capture more of the same packet.  Not the entire conversation.

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/




More information about the Snort-sigs mailing list