[Snort-users] sp_pattern_match : problem or feature?
fygrave at ...121...
Wed Aug 16 15:07:57 EDT 2000
I didn't actually notice it right away (oops) but with recent
sp_pattern_match change semantics of `content' (and `content-list')
keywords got changed. First I was thinking of fixing it right away, but it
seems that both ways of handling `content*' keywords might be useful.
To give more details on popped up problem:
orgininal behavior of `content' keyword was, if several `content's are
defined per rule, f.e.
alert tcp any any -> any any (msg: "boomerang"; content: "one piece"; content: "another");
Snort would trigger alert only if packet contains both `one piece' and
However with recent change it would be `if packet contains `one piece'
_OR_ `another': alert would be triggered.
Actually it might make sense to keep _OR_ for content-list, but new
behaviour breaks certain rules (vbs scripts f.e.) where multiple content
keyword is used.
The question is: how would the snort community prefer this to be
1. Leave orginal semantics of `content' rule and leave new semantics for
2. Leave orginal semantics for both `content' and `content-list' and
introduce new set of keywords to handle _OR_ operations with content
3. Put extra keyword defining semantics per rule (*ugh* should be too much
BTW if anyone feels like testing still probably buggy but seems to work
basic regex support ( keyword `regex', supported charactes: `*', `?' and
`\` for escape, usage similar to nocase), it's been commited tonight.
any feedback is welcome.
More information about the Snort-users