Snort mailing list archives
Re: Better regex expression ($ of "end of string")
From: Brian <bmc () snort org>
Date: Mon, 25 Nov 2002 20:31:38 -0500
On Fri, Nov 22, 2002 at 03:23:30PM -0500, Vincent Corriveau wrote:
I want to have a alert when a user request a applet (.cab request) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \ ( \ msg: "HTTP GET .cab"; \ uricontent: ".cab"; nocase; \ flags: A+; \ classtype: criq; \ )
alert $tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \ ( msg:"HTTP GET .cab"; flow:to_server,established; \ uricontent:".cab"; nocase; content:".cab "; \ nocase;) alert $tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \ ( msg:"HTTP GET .cab"; flow:to_server,established; \ uricontent:".cab"; nocase; content:".cab|09|"; \ nocase;) -brian ------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Better regex expression ($ of "end of string") Vincent Corriveau (Nov 25)
- Re: Better regex expression ($ of "end of string") Brian (Nov 25)