[Snort-users] Content list 2

Aditya at ...7657... Aditya at ...7657...
Thu Dec 5 08:21:22 EST 2002


Hi Friends

Hi Matt Kettler you were right about contents they real do AND 
operations :)
I was mistaken. But now i have another doubt, inside my snort.conf file 
i just included directly these two rules

alert tcp any any -> 150.163.18.13 any 
(content: "|CAFEBABE|";\content: "|AB3FFC0B|"; \
nocase; msg:"Fake Stuff";)
alert tcp any any -> 150.163.18.13 any \ 
(content: "|CAFEBABE|";\nocase; msg:"Cool Stuff";)

It doesn´t acuse no error , snort understands the rules, but my alerts 
or not generated, I want to know were I am wrong, if you or someone else
could help me  please!!!

The funny thing is when i use an activate dynamic rule the alert is 
generated, like this one

activate tcp any any -> 150.163.18.13 any (content: "|CAFEBABE|";\ 
activates: 1; nocase; msg:"Cool Stuff";)
dynamic tcp any any -> 150.163.18.13 any (activated_by: 1; count: 10;)

Aditya
INPE- Brazilian Space Research Center







More information about the Snort-users mailing list