[Snort-sigs] Grabbing more content

Paul Schmehl pauls at ...1311...
Tue Feb 14 13:54:02 EST 2006

--On Tuesday, February 14, 2006 13:49:47 -0500 Erik Fichtner 
<emf at ...3056...> wrote:

> Paul Schmehl wrote:
>> Is there a modifier that can be used to capture more of the content
>> after a content keyword?  I have some rules that look like this, in part:
>> content:"{16 digit num}; content:"pass";
>> I'd like to capture more of the data after "pass".  Is there a way to do
>> that?
> Sounds like you want "tag"
No, I want to capture more of the same packet.  Not the entire conversation.

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-sigs mailing list