[Snort-users] Rules-metadata option

Alex Adamos alexthakidadam at ...125...
Mon Oct 1 12:31:23 EDT 2012


what is exactly the metadata option at the preprocessor rules? for example, 

alert ( msg: "FRAG3_IPOPTIONS"; sid: 1; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; )

when does this rule get fired? the pattern matcher will match what exactly??? i mean that this rule

# alert tcp $ any any -> any any (msg:"bla"; content:"!@|23|"; sid:1; rev:9;)


gets fired when there is a content "!@|23|", but what about the preproc rule??
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121001/6f076e6a/attachment.html>


More information about the Snort-users mailing list