[Snort-users] Having trouble with activate/dynamic..

Chris Green cmg at ...671...
Mon Mar 12 11:25:07 EST 2001

Erik Fichtner <emf at ...367...> writes:

> pass icmp any any -> any (itype:3; icode:1; content:"|0A 00 00 01|"; content:"|00 35|"; offset: 16; depth:32;)
> looks right on the surface, but it makes no restrictions that each content 
> string appears at a specific place or in a specific order, although I admit 
> there's not much room to play around. 

have you played with multiple offset/depths?  This is where snort
rules get ugly ( though multiline rules help ) but I believe you can

(itype:3; icode:1; \
content:"|0A 00 00 01|"; offset: 16; depth: 4; \
content:"|00 35|"; offset: 21; depth:2;)

You'll have to play with the offsets to check for bumblings on my part
but this is the right approach I believe
Chris Green <cmg at ...671...>
This is my signature. There are many like it but this one is mine.

More information about the Snort-users mailing list