P. 1
Snort Manual

Snort Manual

|Views: 362|Likes:
Published by Jose Chuncano

More info:

Published by: Jose Chuncano on Sep 11, 2012
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less






Verify that the payload has data at a specified location, optionally looking for data relative to the end of the previous
content match.


isdataat:[!][, relative|rawbytes];


alert tcp any any -> any 111 (content:"PASS"; isdataat:50,relative; \

content:!"|0a|"; within:50;)

This rule looks for the string PASS exists in the packet, then verifies there is at least 50 bytes after the end of the string
PASS, then verifies that there is not a newline character within 50 bytes of the end of the PASS string.

When the rawbytes modifier is specified with isdataat, it looks at the raw packet data, ignoring any decoding that
was done by the preprocessors. This modifier will work with the relative modifier as long as the previous content
match was in the raw packet data.

A ! modifier negates the results of the isdataat test. It will alert if a certain amount of data is not present within
the payload. For example, the rule with modifiers content:"foo"; isdataat:!10,relative; would alert if there
were not 10 bytes after ”foo” before the payload ended.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->