[Snort-users] Content list 2

larc larc at ...1187...
Mon Dec 9 08:51:15 EST 2002


Hi,

>alert tcp any any -> 150.163.18.13 any (content:"|CAFEBABE|";\ content:"|AB3FFC0B|"; \nocase; msg:"Fake Stuff";)
>alert tcp any any -> 150.163.18.13 any \ 
>(content: "|CAFEBABE|";\nocase; msg:"Cool Stuff";)
>It doesn´t acuse no error , snort understands the rules, but my alerts 
>or not generated

Why do you use 'nocase' after content when the content is in HEX ?
Try the rule without 'nocase'


Stefan D.
------------------------
 Aditya at ...7657... wrote:
------------------------
Hi Friends
>
>Hi Matt Kettler you were right about contents they real do AND 
>
>operations :)
>I was mistaken. But now i have another doubt, inside my snort.conf 
>file 
>
>i just included directly these two rules
>
>alert tcp any any -> 150.163.18.13 any 
>
>(content: "|CAFEBABE|";\content: "|AB3FFC0B|"; 
>\
>nocase; msg:"Fake Stuff";)
>alert tcp any any -> 150.163.18.13 any \ 
>
>(content: "|CAFEBABE|";\nocase; msg:"Cool Stuff";
>)
>
>It doesn´t acuse no error , snort understands the rules, but my ale
>rts 
>
>or not generated, I want to know were I am wrong, if you or someone e
>lse
>could help me  please!!!
>
>The funny thing is when i use an activate dynamic rule the alert is 
>
>generated, like this one
>
>activate tcp any any -> 150.163.18.13 any (content: "|CAFEB
>ABE|";\ 
>
>activates: 1; nocase; msg:"Cool Stuff";)
>dynamic tcp any any -> 150.163.18.13 any (activated_by: 1; 
>count: 10;)
>
>Aditya
>INPE- Brazilian Space Research Center
>
>
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list