Hosting Provided By

Re: [Snort-users] multiple content matches

From: Ashley Thomas <athomas(at)cc.gatech.edu>
Date: Wed Feb 19 2003 - 14:43:44 EST

Here is one from rpc.rules which has 2 'content' options and respective 'offset' and 'depth'

rpc.rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt"; flow:to_server,established;
content:"|0000 0f9c|"; offset:0; depth:4; content:"|00018799|"; offset:

16; depth:4; reference:bugtraq,2417; reference:cve,CAN-2001-0236; 
reference:url,www.cert.org/advisories/CA-2001-05.html; 
classtype:attempted-admin; sid:569;  rev:5;)

Travis S. wrote:

>Can Snort handle checking a single packet against 3 or more content strings to generate an alert? For example, I want to check for string A at offset 1, string B at offset 43 and string C at offset 76 all within the same packet.

-- 
Ashley Thomas
Research scientist
College of Computing
Georgia Tech




-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Received on Wed Feb 19 15:14:28 2003

This message: [ Message body ]
Next message: Darrin Powell: "[Snort-users] logwatch reporting for snort"
Previous message: Erick Mechler: "Re: [Snort-users] New user - Doubt"
In reply to Travis S.: "[Snort-users] multiple content matches"
Reply: Phil Wood: "[Snort-users] Re: snort"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 11:49:52 EDT