[Discussion] Submitted Ideas

• Previous message (by thread): [Discussion] Submitted Ideas
• Next message (by thread): [Discussion] Submitted Ideas
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Victor Julien wrote:
> 
> In my prototype code I can already capture vars using pcre substring
> capturing, although adding an additional way to do this outside of pcre
> could be interesting too:
> 
> alert tcp any any -> any $HTTP_PORTS (msg:"HTTP GET URI cap";
> flow:to_server; content:"GET "; depth:4; pcre:"/^GET
> (?P<pkt_http_uri>.*) HTTP\/\d\.\d\r\n/G"; noalert; sid:1;)
> 
> This captures the http uri into the var "pkt_http_uri", which is stored
> in a packet context. Similarly, "flow_http_uri" stores it in a flow, so
> other packets in the same flow can access it. I'm thinking about adding
> the same for 'global', 'host', 'stream' and maybe more...

With global how do we keep streams from walking over eachother?

Maybe make arrays that the check could be against every element of the
array and if a match then there'd eb the reference to the stream it was
from and further checks could be done for other vars in just that stream...

Matt



-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

• Previous message (by thread): [Discussion] Submitted Ideas
• Next message (by thread): [Discussion] Submitted Ideas
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]