[Snort-users] Having trouble with activate/dynamic..

Chris Green cmg at ...671...
Mon Mar 12 11:25:07 EST 2001


Erik Fichtner <emf at ...367...> writes:

> 
> pass icmp any any -> 10.0.0.1 any (itype:3; icode:1; content:"|0A 00 00 01|"; content:"|00 35|"; offset: 16; depth:32;)
> 
> looks right on the surface, but it makes no restrictions that each content 
> string appears at a specific place or in a specific order, although I admit 
> there's not much room to play around. 
> 

have you played with multiple offset/depths?  This is where snort
rules get ugly ( though multiline rules help ) but I believe you can
do

(itype:3; icode:1; \
content:"|0A 00 00 01|"; offset: 16; depth: 4; \
content:"|00 35|"; offset: 21; depth:2;)

You'll have to play with the offsets to check for bumblings on my part
but this is the right approach I believe
-- 
Chris Green <cmg at ...671...>
This is my signature. There are many like it but this one is mine.




More information about the Snort-users mailing list