[Snort-users] regexp for content

Roman Danyliw roman at ...438...
Wed Nov 29 14:13:58 EST 2000


Pete,

Did you use the '-o' command-line option when starting snort so that
the rule evaluation order is 'Pass|Alert|Log' instead of 'Alert|Log|Pass'?

Roman

On Wed, 29 Nov 2000 grina at ...879... wrote:

>
> Is there any practical way to do regexp matching in the
content: keyword?
> At this point, I'm trying to create a rule that matches all outgoing
HTTP
> requests except for GET.
>
> I tried ignoring (pass rule) the GET first, and then grabbing the rest
of
> the outgoing HTTP sessions.  Any idea why these 2 rules don't work as I
hoped?
>
> pass tcp any any -> any 80 (msg:"pass HTTP GET";content:"GET
/";depth:20;
> session:all;)
> alert tcp any any -> any 80 (msg:"HTTP session";session:printable;)
>
> This case would be a trivial regexp example, but I imagine that more
> complicated regexps would be quite useful as long as they don't bog down
> the system.
>
> -Pete
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users





More information about the Snort-users mailing list