Rule Options


93


config classification: string detect,A suspicious string was detected,3


config classification: suspicious filename detect,A suspicious filename 


was detected,2


config classification: suspicious login,An attempted login using a 


suspicious username was detected,2


config classification: system call detect,A system call was detected,2


config classification: tcp connection,A TCP connection was detected,4


config classification: trojan activity,A Network Trojan was detected, 1


config classification: unusual client port connection,A client was 


using an unusual port,2


config classification: network scan,Detection of a Network Scan,3


config classification: denial of service,Detection of a Denial of 


Service Attack,2


config classification: non standard protocol,Detection of a non 


standard protocol or event,2


config classification: protocol command decode,Generic Protocol Command 


Decode,3


config classification: web application activity,access to a potentially 


vulnerable web application,2


config classification: web application attack,Web Application Attack,1


config classification: misc activity,Misc activity,3


config classification: misc attack,Misc Attack,2


config classification: icmp event,Generic ICMP event,3


config classification: kickass porn,SCORE! Get the lotion!,1


config classification: policy violation,Potential Corporate Privacy 


Violation,1


config classification: default login attempt,Attempt to login by a 


default username and password,2


3.6.3


The content Keyword


One important feature of Snort is its ability to find a data pattern inside a packet.


The pattern may be presented in the form of an ASCII string or as binary data in the


form of hexadecimal characters. Like viruses, intruders also have signatures and the


content keyword is used to find these signatures in the packet. Since Snort version 1.x


does not support application layer protocols, this keyword, in conjunction with the off 


set keyword, can also be used to look into the application layer header.


The following rule detects a pattern  GET  in the data part of all TCP packets that


are leaving 192.168.1.0 network and going to an address that is not part of that network.


The GET keyword is used in many HTTP related attacks; however, this rule is only


using it to help you understand how the content keyword works.


alert tcp 192.168.1.0/24 any  > ![192.168.1.0/24] any \


  (content: "GET"; msg: "GET matched";)








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved