Yes, that's roughly legal to do.. What was your question/problem relating
to this rule?

at an eyball scan for problems, since you didn't really state your problem:

Your first content would appear to not be a whole number of bytes... are
you sure that's what you wanted, or is a digit missing? (AB432CDEF is 4.5
bytes long.)

I'd also be wary of your depth specifier.. I think that would require
*both* content strings to start within the first 5 bytes of the packet, but
each of those strings is >4 bytes long, making that impossible.

Also will both of these content patterns happen in the same tcp segment, or
burst of segments that stream4 can handle?

At 10:21 PM 12/3/2002 -0200, Adityadirectnet.com.br wrote:
>I need to capture two contents, one content depends on the other....
>like this
>alert tcp any any -> 192.168.1.0/24 80
>(content: "|AB432CDEF|";content: " |1AC2FEB345|";depth: 5;
>msg: "malicious activity")
>
>
>Only the combination of these two generate malicious activity
>
>
>Any ideas?

-------------------------------------------------------
This SF.net email is sponsored by: Microsoft Visual Studio.NET
comprehensive development tool, built to increase your
productivity. Try a free online hosted session at:
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]