Home page logo
/

snort logo Snort mailing list archives

Re: [snort-devel] Creating a new variable into a preprocessor and using it in the rules engine
From: Emiliano Fausto <emiliano.fausto () gmail com>
Date: Fri, 10 Jan 2014 17:53:33 -0200

hi there,

just in case. I know that I would be able to create a Detection-plugin,
like the tcpurg example. But the problem is that, I'd rather use the snort
detection engine to have the string, hex and prcre full searching features.

It would be really hard to me, to start from the scratch doing those
functionality. Instead, I'll like to take advantage of them and use them as
the http_header does for example.

Regards!
Emiliano.


2014/1/10 Emiliano Fausto <emiliano.fausto () gmail com>

Hi all!

I'm developing a preprocessor which takes extra information from a packet,
and I'd like that this info is sent to the global SNORT structure to be
used into the rules engine.

Let's suppose I have a packet with this information:

|header| payload| --> Into the Payload, I have the info: Name="John",
Surname="Doe".

And I create two variables in the preprocessor called:

user_name= payload-->Name
user_surname= payload-->Surname

So, I'd like to know if someone has worked with global variables so that I
can create a new rule in SNORT which would be something like:

alert udp $EXTERNAL_NET any -> 192.168.0.10 9090 ( user_name; content:
"John"; nocase; user_surname; content: "Doe"; nocase; msg: "John Does has
logged in to the system"; sid: 12345678; rev: 1; )

Thanks in advance,
Emiliano.

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault