Re: Matching host get and content

[Joel Esler <jesler () sourcefire com>]

Try file_data before your last content match. 

-- 
Joel Esler

On Jul 9, 2012, at 12:29 PM, James Lay <jlay () slave-tothe-box net> wrote:

> Hey all,
>
> I'm not even sure where to look for this, but in layman's terms I want 
> to "match on http getting to a certain domain name and match some 
> content within, only when the two match alert".  Is this a 
> stream_reassemble thing?  Am I looking at something like:
>
> flow:established,to_server; stream_reassemble;enable: content:bleh.com; 
> http_header; content:stuffinpacket;
>
> Thanks for any pointers.
>
> James
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!