[Snort-users] content field
cpw at ...440...
Sat Sep 22 10:24:02 EDT 2001
On Sat, Sep 22, 2001 at 01:10:08PM +0530, |=- ROHIT-=| wrote:
> hi all
> am having a small doubt understanding the content field in the snort rules :
> say if i want to filter my tcp/ip data field containning 0a5c38f3 hex code (just for example) then
> the content filed is written as
> content:"|0a 5c 38 f3|" for example
> sometimes they are seperated in group of words "|0a5c 38f3|" as in few examples of the snort rules
> and sometimes together as "|0a5c38f3|" as one
> is there any difference among em or the parser takes them as in one group -> as a whole .
The parser ignores the spaces. They are permited to enhance readability.
Content may also be described like so: "Get me a beer|0d|" with a mix of
ascii and hex. Obviously, spaces in a text string are not ignored in matching.
> best regards
Phil Wood, cpw at ...440...
More information about the Snort-users