Home page logo
/

snort logo Snort mailing list archives

[snort-devel] Creating a new variable into a preprocessor and using it in the rules engine
From: Emiliano Fausto <emiliano.fausto () gmail com>
Date: Fri, 10 Jan 2014 17:09:49 -0200

Hi all!

I'm developing a preprocessor which takes extra information from a packet,
and I'd like that this info is sent to the global SNORT structure to be
used into the rules engine.

Let's suppose I have a packet with this information:

|header| payload| --> Into the Payload, I have the info: Name="John",
Surname="Doe".

And I create two variables in the preprocessor called:

user_name= payload-->Name
user_surname= payload-->Surname

So, I'd like to know if someone has worked with global variables so that I
can create a new rule in SNORT which would be something like:

alert udp $EXTERNAL_NET any -> 192.168.0.10 9090 ( user_name; content:
"John"; nocase; user_surname; content: "Doe"; nocase; msg: "John Does has
logged in to the system"; sid: 12345678; rev: 1; )

Thanks in advance,
Emiliano.
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]