Re: snort signature help ..?

From: donnie (donnie_at_queyosepa.org)
Date: 01/23/05


Date: Sun, 23 Jan 2005 20:28:09 GMT

On Sun, 23 Jan 2005 14:19:38 GMT, "al" <{ask_me}@blueyonder.co.uk>
wrote:

>I've being looking through the snort help pages to see if I can create a
>rule to detect certain code fragments in HTML code. I'm still not sure it's
>possible as what I'd effectively be asking snort to do is piece together all
>the packets and inspect the completed file.
>
>For example, maybe I want an alert when one single HTML page contains the
>words FRED, ALICE and JOHN together. Is such a thing possible at all?
>
>Perhaps a layer 7 firewall such as MS ISA is more suited to this type of
>inspection. Any comments appreciated.
>
>
>
>
>a
>
#######################
I just installed snort on FreeBSD just to see what you were asking.
It appears that what you want to do can be done although I cant give
you the syntax just yet. It the meantime, take a look at:

http://www.snort.org/docs/snort_manual/node14.html

donnie.



Relevant Pages

  • snort signature help ..?
    ... I've being looking through the snort help pages to see if I can create a ... rule to detect certain code fragments in HTML code. ... Perhaps a layer 7 firewall such as MS ISA is more suited to this type of ...
    (alt.computer.security)
  • Re: Cant find the HTML coding in publisher
    ... Publisher is not an html editor so you cannot get at the html with ... You can add Code Fragments (Insert | HTML Code Fragments) but you are ...
    (microsoft.public.publisher.webdesign)