From: Matt Kettler (mkettlerevi-inc.com)
Date: Thu Apr 03 2003 - 17:07:46 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Erm, that will look for things web URLS that have spaces that are escaped.
It will not match the spaces between the text in this email, for example.
If you want to look for a space character, use content: " ".

Also, binary protocols will contain space characters, but not very often,
so you could miss many of the packets in the transfer. For example, a
zipfile or other compressed data could go on for many KB in a row without
any spaces. It certainly would be unlikely to contain the three characters
text string: %20

If you really want to log every packet from a given IP, I'd _strongly_
recommend that you just drop the content part entirely. Anything else
doesn't always do what you want, and wastes CPU time doing an unnecessary
string search.

There's nothing invalid, or even unusual, about a rule which has no content
specifier. There are several rules in the snort ruleset that don't have
them (ie: ones that look for strange flag bits or source IP addresses).

At 03:56 PM 4/3/2003 -0500, you wrote:
>i did a content:"%20" and the rule works, don't know what it will pick up,
>but I figure everything has a freaking space in it at some point.

-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb:
Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]