[Snort-users] regexp for content

Roman Danyliw roman at ...438...
Wed Nov 29 14:13:58 EST 2000


Did you use the '-o' command-line option when starting snort so that
the rule evaluation order is 'Pass|Alert|Log' instead of 'Alert|Log|Pass'?


On Wed, 29 Nov 2000 grina at ...879... wrote:

> Is there any practical way to do regexp matching in the
content: keyword?
> At this point, I'm trying to create a rule that matches all outgoing
> requests except for GET.
> I tried ignoring (pass rule) the GET first, and then grabbing the rest
> the outgoing HTTP sessions.  Any idea why these 2 rules don't work as I
> pass tcp any any -> any 80 (msg:"pass HTTP GET";content:"GET
> session:all;)
> alert tcp any any -> any 80 (msg:"HTTP session";session:printable;)
> This case would be a trivial regexp example, but I imagine that more
> complicated regexps would be quite useful as long as they don't bog down
> the system.
> -Pete
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

More information about the Snort-users mailing list