[Snort-users] depth?

Chris Green cmg at ...671...
Wed Jan 10 16:45:06 EST 2001


Max Vision <vision at ...4...> writes:

> For example the following rule does not work (depth of 1 or higher):
> alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS278/named-probe-version"; 
> content: "|07|version"; nocase; depth: 32;)
> 
> but this does (depth is zero or omitted):
> alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS278/named-probe-version"; 
> content: "|07|version"; nocase; depth: 0;)
> 
> Can anyone else confirm on this or other platforms?

Seeing your message right after mine, depth of 29 works but does not
work when depth exceeds the payload length.  This is on a redhat 6.2
box.

-- 
Chris Green <cmg at ...671...>
You now have 14 minutes to reach minimum safe distance.




More information about the Snort-users mailing list