[Snort-users] content field
rohits79 at ...131...
Sat Sep 22 00:40:02 EDT 2001
am having a small doubt understanding the content field in the snort rules :
say if i want to filter my tcp/ip data field containning 0a5c38f3 hex code (just for example) then
the content filed is written as
content:"|0a 5c 38 f3|" for example
sometimes they are seperated in group of words "|0a5c 38f3|" as in few examples of the snort rules
and sometimes together as "|0a5c38f3|" as one
is there any difference among em or the parser takes them as in one group -> as a whole .
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users