[Snort-sigs] rule content
Jules F. Pagna Disso
jferdinand at ...3299...
Mon Jun 18 20:47:57 EDT 2007
I am trying to understand how to write the rules. I have some problems:
1. When to convert byte? Raw data? Or when to leave it as it is or
when to have a mixed binary and text content ?
For example I have the rules
alert tcp any any -> any 80 (content: !"GET";)
alert tcp any any -> any 139 (content: "|5C 00|P|00|P|00|E|00 5cl`;)
2. Is there any format that is best to work with?
3. Can someone help me to reconstitute the original content that was
converted in the second rule given here as an example ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs