[Snort-users] content field

Phil Wood cpw at ...440...
Sat Sep 22 10:24:02 EDT 2001


On Sat, Sep 22, 2001 at 01:10:08PM +0530, |=- ROHIT-=| wrote:
> hi  all
> 
> am having a small doubt  understanding the content field in the snort rules :
> 
> say if i want to filter my tcp/ip data field containning 0a5c38f3 hex code (just for example) then  
> 
> the content filed is written as 
> 
> content:"|0a 5c 38 f3|" for example 
> 
> but  
> sometimes they are seperated in group of words "|0a5c 38f3|" as in few examples of the snort rules
> and sometimes together as "|0a5c38f3|" as one  
> 
> is there any difference among em or the parser takes them as in one group -> as a whole .

The parser ignores the spaces.  They are permited to enhance readability.

Content may also be described like so:  "Get me a beer|0d|" with a mix of
ascii and hex.  Obviously, spaces in a text string are not ignored in matching.

> 
> 
> best regards
> rohit
> 
> 
> 

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list