Re: [Snort-users] Rules with multiple contents specified
This is a discussion on Re: [Snort-users] Rules with multiple contents specified within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format... ------------=_1081185912-7280-750 Content-Type: text/plain Content-Transfer-Encoding: 7bit ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-05-2004
|
|||
|
|||
Re: [Snort-users] Rules with multiple contents specified
This is a multi-part message in MIME format...
------------=_1081185912-7280-750 Content-Type: text/plain Content-Transfer-Encoding: 7bit Content-Disposition: inline hello, Payload: "uid=48(apache) gid=48(web)" (You must set this to the corresponding group your webserver is running to) If it finds the pattern 'uid=' it will continue searching until it finds '(web)'. If it find both, then the event is fired. The rule options are checked as a large logical and, and they are checked sequentially. Regards, Alejandro Flores > Hi, > > I am new to the snort. Can some one tell me when multiple contents are > specified in a rule as in the following rule, what does it mean? Does it > mean that all the contents MUST be matched and does it also mean that they > should be in the same sequence as specified in the rule or the sequencing > does not matter (for e.g for the following rule, "uid=" and "(web)" should > they be in the same sequence or "(web)" can be before "uid=". > > alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK > RESPONSES id check returned web"; flow:from_server,established; > content:"uid="; content:"(web)"; classtype:bad-unknown; sid:1884; rev:2;) > > Thanks > GM > > __________________________________________________ _______________ > Apply now for a Citibank Suvidha Account. > http://go.msnserver.com/IN/45532.asp Get a FREE Citibank Picture Card . > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > --TriForSec http://www.triforsec.com.br/ ------------=_1081185912-7280-750-- ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
