[Snort-users] RE: [Snort-sigs] Questions 101

From: Matt Kettler <mkettler(at)evi-inc.com>
Date: Thu Apr 03 2003 - 18:07:46 EST

Erm, that will look for things web URLS that have spaces that are escaped. It will not match the spaces between the text in this email, for example. If you want to look for a space character, use content: " ".

Also, binary protocols will contain space characters, but not very often, so you could miss many of the packets in the transfer. For example, a zipfile or other compressed data could go on for many KB in a row without any spaces. It certainly would be unlikely to contain the three characters text string: %20

If you really want to log every packet from a given IP, I'd _strongly_ recommend that you just drop the content part entirely. Anything else doesn't always do what you want, and wastes CPU time doing an unnecessary string search.

There's nothing invalid, or even unusual, about a rule which has no content specifier. There are several rules in the snort ruleset that don't have them (ie: ones that look for strange flag bits or source IP addresses).

At 03:56 PM 4/3/2003 -0500, you wrote:
>i did a content:"%20" and the rule works, don't know what it will pick up,
>but I figure everything has a freaking space in it at some point.

---

This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Thu Apr 3 18:26:36 2003