94

Chapter 3     Working with Snort Rules

The following rule does the same thing but the pattern is listed in hexadecimal.

alert tcp 192.168.1.0/24 any  > ![192.168.1.0/24] any \

  (content: "|47 45 54|"; msg: "GET matched";)

Hexadecimal number 47 is equal to ASCII character G, 45 is equal to E, and 54

is equal to T. You can also match both ASCII strings and binary patterns in hexadeci 

mal form inside one rule. Just enclose the hexadecimal characters inside a pair of bar

symbols: ||.

When using the content keyword, keep the following in mind:

  Content matching is a computationally expensive process and you should be

careful of using too many rules for content matching.

  If you provide content as an ASCII string, you should escape the double quote,

colon and bar symbols.

  You can use multiple content keywords in one rule to find multiple signatures

in the data packet.

  Content matching is case sensitive.

There are three other keywords that are used with the content keyword. These key 

words add additional criteria while finding a pattern inside a packet. These are:

  The offset keyword

  The depth keyword

  The nocase keyword

These keywords are discussed later in this chapter. The first two keywords are

used to confine the search within a certain range of the data packet. The nocase key 

word is used to make the search case insensitive.

3.6.4

The offset Keyword

The offset keyword is used in combination with the content keyword. Using this

keyword, you can start your search at a certain offset from the start of the data part of

the packet. Use a number as argument to this keyword. The following rule starts search 

ing for the word  HTTP  after 4 bytes from the start of the data.

alert tcp 192.168.1.0/24 any  > any any \

  (content: "HTTP"; offset: 4; msg: "HTTP matched";)

You can use the depth keyword  to define the point after which Snort should stop

searching the pattern in the data packets.