[Snort-users] file_data entry in snort manual

Will Metcalf william.metcalf at ...11827...
Mon Aug 9 23:53:08 EDT 2010

>From the snort manual (note "This option option" typo)....  Hmm I
think this example is a bit weird, it shows an example that will match
from the beginning of the payload and is no way relative to setting
the inspection pointer at the start of file_data so what is the point

"This option matches if there is HTTP response body or SMTP body. This
option option will operate similarly to the
dce stub data option added with DCE/RPC2, in that it simply sets a
reference for other relative rule options ( byte
test, byte jump, pcre) to use. This file data can point to either a
file or a block of data.

alert tcp any any -> any any(msg:"foo at the start of the payload";
file_data; pcre:"/foo/i";)"

Perhaps this should be something like....

alert tcp any 80 -> any any(msg:"foo at the start of http response
body"; file_data; content:"foo"; nocase; within:3;)



More information about the Snort-users mailing list