[Snort-sigs] rule content

Jules F. Pagna Disso jferdinand at ...3299...
Mon Jun 18 20:47:57 EDT 2007



Hi All,


I am trying to  understand how to write the rules. I have some problems:


1.       When to convert byte? Raw data? Or when to leave it as it is or
when to  have a mixed binary and text content ? 

For example I have the rules 


alert tcp any any -> any 80 (content: !"GET";)


alert tcp any any -> any 139 (content: "|5C 00|P|00|P|00|E|00 5cl`;)




2.       Is there any format that is best to work with? 


3.       Can someone help me to reconstitute the original content that was
converted in the second rule given here as an example ?








-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070619/c29ef827/attachment.html>

More information about the Snort-sigs mailing list