[Snort-users] [Snort-user] dynamic variable for content match

zT zzahra88 at ...11827...
Thu Jan 29 06:50:31 EST 2015


reading data form input in snort rules and search this input data in packet
content i want this. like c++ cin>>x; how can we do this in snort rules????

On Thu, Jan 29, 2015 at 2:32 PM, Al Lewis (allewi) <allewi at ...589...> wrote:

>  If you are trying to read information from a c++ program (using cin) and
> then have snort match on THAT content AFTER snort has already been started
> you are probably going to have to create something custom. Im not aware of
> a clean way to “input” data into snort without requiring a restart.
>
>
>
> Hope this helps.
>
>
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi at ...589...
>
>
>
> *From:* zT [mailto:zzahra88 at ...11827...]
> *Sent:* Thursday, January 29, 2015 12:14 AM
> *To:* waldo kitty
> *Cc:* snort-users
> *Subject:* Re: [Snort-users] [Snort-user] dynamic variable for content
> match
>
>
>
> thank you for your explanation, (sorry for that my English is not good :)
> ).
>
> i just want to have a this simple thing in other language
>
> char* x;
>
> cin>>x;
>
> i am  try to use shared object but i don't know is this possible???
>
>
>
> On Thu, Jan 29, 2015 at 4:22 AM, waldo kitty <wkitty42 at ...14940...>
> wrote:
>
> On 1/27/2015 11:35 AM, zT wrote:
> > i don't understand what do you mean????
>
> you said that you wanted to enter a string at the command line and have a
> rule
> in snort detect that string in the network traffic... Al asked you to
> clarify
> and listed his understanding of what you wanted to do... you came back and
> said
> that was not the way you wanted to do it... so i asked you to be more
> explicit
> and tell us how you do want to do it... we're still waiting on your
> explanation
> of what you desire ;)
>
>
>
> > On 1/27/15, waldo kitty <wkitty42 at ...14940...> wrote:
> >> On 1/26/2015 3:42 PM, zT wrote:
> >>> tnx for your suggest but i don't want to do in this way. tnx any way :)
> >>
> >> then you need to be much much clearer in what you want to do...
> >>
> >> you either write and use static rules or you develop some sort of
> dynamic
> >> rule that has some sort of command line interface...
>
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         Please *keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150129/581f30b0/attachment.html>


More information about the Snort-users mailing list