Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: alert base on tcp content

From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 27 Jul 2015 19:11:50 -0600
On Mon, 2015-07-27 at 15:21 +0100, Marcio Guerreiro wrote:


1 – can I generate a rule based on the content in RED ? (I guess yes
but I would need to decode this string somehow, I wanted to convert to
binary or hexa and use the “content” keyword to identify the package.
But I do know know if th is possible.)



Yes, but chances are this would match only once.  Your better bet is to
look at the ungzipped content in the Packet Details in Wireshark, then
match on that content...snort normalizes both base64 and gzip content (I
believe).



 

2 – I came across many other situations and I would like to know what
to do to identify the format ( I understant that this example above is
in Gzip)




Check out the below link for more info...you could spend a couple days
learning what the protocols look like:

https://wiki.wireshark.org/SampleCaptures

James

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: