Snort mailing list archives
[snort-devel] Creating a new variable into a preprocessor and using it in the rules engine
From: Emiliano Fausto <emiliano.fausto () gmail com>
Date: Fri, 10 Jan 2014 17:09:49 -0200
Hi all! I'm developing a preprocessor which takes extra information from a packet, and I'd like that this info is sent to the global SNORT structure to be used into the rules engine. Let's suppose I have a packet with this information: |header| payload| --> Into the Payload, I have the info: Name="John", Surname="Doe". And I create two variables in the preprocessor called: user_name= payload-->Name user_surname= payload-->Surname So, I'd like to know if someone has worked with global variables so that I can create a new rule in SNORT which would be something like: alert udp $EXTERNAL_NET any -> 192.168.0.10 9090 ( user_name; content: "John"; nocase; user_surname; content: "Doe"; nocase; msg: "John Does has logged in to the system"; sid: 12345678; rev: 1; ) Thanks in advance, Emiliano.
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine Emiliano Fausto (Jan 10)
- Re: [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine Emiliano Fausto (Jan 10)
- Re: [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine Emiliano Fausto (Jan 13)
- Re: [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine Emiliano Fausto (Jan 15)
- Re: [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine Emiliano Fausto (Jan 13)
- Re: [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine Emiliano Fausto (Jan 10)