Solved

Testing snort rules

Posted on 2010-11-16
1
1,023 Views
Last Modified: 2013-11-29
When designing a packet to test snort rules, does that packet need to contain all the content listed in the rule. For example a rule that has content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; flags:A+; etc.....?

Thanks
0
Comment
Question by:progjm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 34152965
check out 2.3.9  Content

@ http://ebook.security-portal.cz/book/snort/writing_rules/chap2.html

Whenever a content option pattern match is performed, the Boyer-Moore pattern match function is called and the (rather computationally expensive) test is performed against the packet contents. If data exactly matching the argument data string is contained anywhere within the packet's payload, the test is successful and the remainder of the rule option tests are performed. Be aware that this test is case sensitive.

Also note option such as 2.3.10  Offset, 2.3.11  Depth and 2.3.12  Nocase that would impact the content matching. 2.3.23  Content-list would be of interest as well as it allows multiple content strings to be specified in the place of a single content option
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question