[Snort-users] ftp glob rule

Martin Roesch roesch at ...421...
Tue Apr 24 15:04:27 EDT 2001


This is correct.  You can't specify the offset from another match
(that'd be somewhat hairy to implement due to the nature of the way the
plugins are called).  

If you have two content checks with no offset or depth specifiers to go
with them, both content checks are applied to the full payload.

    -Marty

James Hoagland wrote:
> 
> Max,
> 
> >Question: you have multiple content rules that are the same string, does
> >snort really discern that these are separate strings to be detected, or
> >will each one consider the entire payload (therefor meaning that the
> >second two are redundant)?  My rule watches for "|2f2a|".
> 
> Unless I am mistaken, each are content rule is considered for the entire payload.  You can add "offset" and "depth" specifications after "content" (but before the next "content") to modify that behavior.  I don't think you can specify the offset as relative to the previous content match, though that might be nice.
> 
> Regards,
> 
>   Jim
> --
> |*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
> |*               hoagland at ...47...                *|
> |*              http://www.silicondefense.com/              *|
> |*      Silicon Defense - Technical Support for Snort       *|
> |*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list