[Snort-users] pcre usage for inline

Jeff Dell jdell at ...1095...
Wed Jun 15 13:31:33 EDT 2005


Donno about pcre, but you can do this with snort inline:

alert tcp any any <> any 80 (msg: "change stuff"; content:"stuff";
replace:"newstuff";) 

Jeff

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> Joel Esler
> Sent: Wednesday, June 15, 2005 4:25 PM
> To: Snort Users; 
> snort-inline-users-request at lists.sourceforge.net; snort-sigs 
> mailinglist
> Subject: [Snort-users] pcre usage for inline
> 
> Just wondering, since we have the ability to modify items with regular
> expressions...  can it be done in a snort rule?  like..
> 
> pcre:"s/stuff/newstuff/";
> 
> just a thought..  be able to modify actual data on the fly...
> 
> J
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=ick
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
> 






More information about the Snort-users mailing list