Rule Options


95


3.6.5


The depth Keyword


The depth keyword is also used in combination with the content keyword to spec 


ify an upper limit to the pattern matching. Using the depth keyword, you can specify an


offset from the start of the data part. Data after that offset is not searched for pattern


matching. If you use both offset and depth keywords with the content keyword, you can


specify the range of data within which pattern matching should be done. The following


rule tries to find the word  HTTP  between characters 4 and 40 of the data part of the


TCP packet.


alert tcp 192.168.1.0/24 any  > any any (content: \


   "HTTP"; offset: 4; depth: 40; msg: "HTTP matched";)


This keyword is very important since you can use it to limit searching inside the


packet. For example, information about HTTP GET requests is found in the start of the


packet. There is no need to search the entire packet for such strings. Since many packets


you capture are very long in size, it wastes a lot of time to search for these strings in  the


entire packet. The same is true for many other Snort signatures.


3.6.6


The content list Keyword


The content list keyword is used with a file name. The file name, which is used as


an argument to this keyword, is a text file that contains a list of strings to be searched


inside a packet. Each string is located on a separate line of the file. For example, a file


named  porn  may contain the following three lines:


 porn 


 hardcore 


 under 18 


The following rule will search these strings in the data portion of all packets


matching the rule criteria.


alert ip any any  > 192.168.1.0/24 any (content list: \


   "porn"; msg: "Porn word matched";)


You can also use the negation sign ! with the file name if you want to generate an


alert for a packet where no strings match.


3.6.7


The dsize Keyword


The dsize keyword is used to find the length of the data part of a packet. Many


attacks use buffer overflow vulnerabilities by sending large size packets. Using this key 


word, you can find out if a packet contains data of a length larger than, smaller than, or








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved