[Snort-users] regexp for content

grina at ...879... grina at ...879...
Wed Nov 29 11:50:46 EST 2000


Is there any practical way to do regexp matching in the content: keyword?
At this point, I'm trying to create a rule that matches all outgoing HTTP
requests except for GET.  

I tried ignoring (pass rule) the GET first, and then grabbing the rest of
the outgoing HTTP sessions.  Any idea why these 2 rules don't work as I hoped?

pass tcp any any -> any 80 (msg:"pass HTTP GET";content:"GET /";depth:20;
session:all;)
alert tcp any any -> any 80 (msg:"HTTP session";session:printable;)

This case would be a trivial regexp example, but I imagine that more
complicated regexps would be quite useful as long as they don't bog down 
the system.

-Pete



More information about the Snort-users mailing list