[Snort-users] Rules-metadata option

Joel Esler jesler at ...1935...
Mon Oct 1 13:25:57 EDT 2012


On Oct 1, 2012, at 12:31 PM, Alex Adamos <alexthakidadam at ...125...> wrote:

> what is exactly the metadata option at the preprocessor rules? for example, 
> 
> alert ( msg: "FRAG3_IPOPTIONS"; sid: 1; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; )
> 

It means that this rule is actually a preprocessor rule.

> when does this rule get fired? the pattern matcher will match what exactly??? i mean that this rule
> 
> # alert tcp $ any any -> any any (msg:"bla"; content:"!@|23|"; sid:1; rev:9;)
> 
> 
> gets fired when there is a content "!@|23|", but what about the preproc rule??

There are no content matches here, this allows you to turn on or off the alerting (or blocking) of a preprocessor rule.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121001/d4b00e0f/attachment.html>


More information about the Snort-users mailing list