[Snort-sigs] [AUTO IP] Re: Question about content

Paul Schmehl pschmehl_lists at ...3425...
Tue Dec 1 14:23:27 EST 2009


I saw that.  The point is, you didn't come close to answering the OP's 
question.  Forget the assumptions you made, you looked for a word 4 bytes into 
the packet.  That wasn't what he asked for.  He asked how he could find the 
pattern at_the_end_of_the_packet without knowing the packet length.

The rest is irrelevant.

--On Tuesday, December 01, 2009 11:46:04 -0600 evilghost at ...3397... wrote:

>
> Paul, since you failed at reading comprehension, here would be the
> *critical* statement I made *before* I supplied the rule, as an example
> of how PCRE could be used to detect what the OP has requested:
>
> "Making assumptions about direction, protocol, and content I would try
> something like this:"
>
> I do appreciate your gems of wisdom concerning the ip based rule.
>

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson





More information about the Snort-sigs mailing list