[Snort-users] content rule
mkettler at ...4108...
Tue Dec 3 17:14:17 EST 2002
Yes, that's roughly legal to do.. What was your question/problem relating
to this rule?
at an eyball scan for problems, since you didn't really state your problem:
Your first content would appear to not be a whole number of bytes... are
you sure that's what you wanted, or is a digit missing? (AB432CDEF is 4.5
I'd also be wary of your depth specifier.. I think that would require
*both* content strings to start within the first 5 bytes of the packet, but
each of those strings is >4 bytes long, making that impossible.
Also will both of these content patterns happen in the same tcp segment, or
burst of segments that stream4 can handle?
At 10:21 PM 12/3/2002 -0200, Aditya at ...7657... wrote:
>I need to capture two contents, one content depends on the other....
>alert tcp any any -> 192.168.1.0/24 80
>(content: "|AB432CDEF|";content: " |1AC2FEB345|";depth: 5;
>msg: "malicious activity")
>Only the combination of these two generate malicious activity
More information about the Snort-users