Honeypots mailing list archives
Re: Anyone know how to use the content:! rule and replace in snort_inline?
From: Frank Knobbe <frank () knobbe us>
Date: Mon, 24 Apr 2006 17:40:41 -0500
On Mon, 2006-04-24 at 22:23 +0000, John Smith wrote:
and replaces the fixed string...so shouldn't I be able to do something like: pass icmp any any <> any any (content:!"|ff ff ff...|"; replace:"000...";) and then it will see that the content is NOT ff ff ff (it's 08 09 0a) and replace it the same way it did with the first rule? Of course this didn't work so I would appreciate it if someone could tell me where I'm going wrong.
You used a "pure not rule". You can not use a rule that only has a content:!"blah" in it. You can use negated content matches only after a positive content match (ie content:"blah"; content:!"blahoney";)
Is it even possible to check if content is NOT some known good pattern and then replace anything except that?
heh... what is a NOT known good pattern? Could you write one? :) Snort can only match on content, not on NOT-content along, much like the absence of content. The not-content rule can only be used in conjunction with a content rule. Regards, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Anyone know how to use the content:! rule and replace in snort_inline? John Smith (Apr 24)
- Re: Anyone know how to use the content:! rule and replace in snort_inline? Frank Knobbe (Apr 24)
- Re: Anyone know how to use the content:! rule and replace in snort_inline? John Smith (Apr 24)
- Re: Anyone know how to use the content:! rule and replace in snort_inline? Sushant Sinha (Apr 24)
- Re: Anyone know how to use the content:! rule and replace in snort_inline? John Smith (Apr 24)
- Re: Anyone know how to use the content:! rule and replace in snort_inline? Frank Knobbe (Apr 24)