[Snort-sigs] Matching host get and content

Joel Esler jesler at ...435...
Mon Jul 9 14:47:25 EDT 2012


Try file_data before your last content match. 

-- 
Joel Esler

On Jul 9, 2012, at 12:29 PM, James Lay <jlay at ...3266...> wrote:

> Hey all,
> 
> I'm not even sure where to look for this, but in layman's terms I want 
> to "match on http getting to a certain domain name and match some 
> content within, only when the two match alert".  Is this a 
> stream_reassemble thing?  Am I looking at something like:
> 
> flow:established,to_server; stream_reassemble;enable: content:bleh.com; 
> http_header; content:stuffinpacket;
> 
> Thanks for any pointers.
> 
> James
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-sigs mailing list