[Snort-users] content field

|=- ROHIT-=| rohits79 at ...131...
Sat Sep 22 00:40:02 EDT 2001


hi  all

am having a small doubt  understanding the content field in the snort rules :

say if i want to filter my tcp/ip data field containning 0a5c38f3 hex code (just for example) then  

the content filed is written as 

content:"|0a 5c 38 f3|" for example 

but  
sometimes they are seperated in group of words "|0a5c 38f3|" as in few examples of the snort rules
and sometimes together as "|0a5c38f3|" as one  

is there any difference among em or the parser takes them as in one group -> as a whole .


best regards
rohit



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010922/dfe24462/attachment.html>


More information about the Snort-users mailing list