Snort mailing list archives

Re: Need help with a rule

From: Andreas Östling <andreaso () it su se>
Date: Wed, 10 Apr 2002 10:28:24 +0200

On Wednesday 10 April 2002 00.33,  Sheahan, Paul wrote:

In some cases I do know the set of characters that might follow "twenty".
Let's say I want an alert for "twenty" but not "twentyone" and that is it.
Do you think that might be possible to create a rule for?


Yes, in that case you could use something like:

alert ip any any -> any any (msg: "twenty, not twentyone"; \
content: "twenty"; content: !"twentyone";)

Although sometimes its worth remembering that if a packet then contains both 
the word "twenty" alone, and also "twentyone" in another sentence for 
example, you will not get an alert when using rules like the one above.
In cases where this isn't acceptable and you can't fix it with by using 
depth/offset checks etc, its probably better to use what Ryan suggested 
instead.

/Andreas

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Need help with a rule Sheahan, Paul (PCLN-NW) (Apr 09)
- Re: Need help with a rule Ryan Russell (Apr 09)
- <Possible follow-ups>
- RE: Need help with a rule Sheahan, Paul (PCLN-NW) (Apr 09)
  - RE: Need help with a rule Ryan Russell (Apr 09)
  - Re: Need help with a rule Andreas Östling (Apr 10)
- RE: Need help with a rule Estes, Matt CPR / FCBS (Apr 10)