[Snort-users] [Snort-user] dynamic variable for content match

Al Lewis (allewi) allewi at ...589...
Thu Jan 29 06:02:16 EST 2015


If you are trying to read information from a c++ program (using cin) and then have snort match on THAT content AFTER snort has already been started you are probably going to have to create something custom. Im not aware of a clean way to “input” data into snort without requiring a restart.

Hope this helps.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: zT [mailto:zzahra88 at ...11827...]
Sent: Thursday, January 29, 2015 12:14 AM
To: waldo kitty
Cc: snort-users
Subject: Re: [Snort-users] [Snort-user] dynamic variable for content match

thank you for your explanation, (sorry for that my English is not good :) ).
i just want to have a this simple thing in other language
char* x;
cin>>x;
i am  try to use shared object but i don't know is this possible???

On Thu, Jan 29, 2015 at 4:22 AM, waldo kitty <wkitty42 at ...14940...<mailto:wkitty42 at ...14940...>> wrote:
On 1/27/2015 11:35 AM, zT wrote:
> i don't understand what do you mean????

you said that you wanted to enter a string at the command line and have a rule
in snort detect that string in the network traffic... Al asked you to clarify
and listed his understanding of what you wanted to do... you came back and said
that was not the way you wanted to do it... so i asked you to be more explicit
and tell us how you do want to do it... we're still waiting on your explanation
of what you desire ;)


> On 1/27/15, waldo kitty <wkitty42 at ...14940...<mailto:wkitty42 at ...14940...>> wrote:
>> On 1/26/2015 3:42 PM, zT wrote:
>>> tnx for your suggest but i don't want to do in this way. tnx any way :)
>>
>> then you need to be much much clearer in what you want to do...
>>
>> you either write and use static rules or you develop some sort of dynamic
>> rule that has some sort of command line interface...


--
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150129/f2b6fe58/attachment.html>


More information about the Snort-users mailing list