[Snort-users] content rule

Matt Kettler mkettler at ...4108...
Tue Dec 3 17:14:17 EST 2002


Yes, that's roughly legal to do.. What was your question/problem relating 
to this rule?

at an eyball scan for problems, since you didn't really state your problem:

Your first content would appear to not be a whole number of bytes... are 
you sure that's what you wanted, or is a digit missing? (AB432CDEF is 4.5 
bytes long.)

I'd also be wary of your depth specifier.. I think that would require 
*both* content strings to start within the first 5 bytes of the packet, but 
each of those strings is >4 bytes long, making that impossible.

Also will both of these content patterns happen in the same tcp segment, or 
burst of segments that stream4 can handle?





At 10:21 PM 12/3/2002 -0200, Aditya at ...7657... wrote:
>I need to capture two contents, one content depends on the other....
>like this
>alert tcp any any -> 192.168.1.0/24 80
>(content: "|AB432CDEF|";content: " |1AC2FEB345|";depth: 5;
>msg: "malicious activity")
>
>
>Only the combination of these two generate malicious activity
>
>
>Any ideas?





More information about the Snort-users mailing list