Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How's best to alert on Web connections that *don't* contain particular content?

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 26 Feb 2003 10:47:58 +1300
On Tue, Feb 25, 2003 at 03:42:33PM -0600, Schmehl, Paul L wrote:

Have you tried removing the asterisk?  regex:!"Host|3a|trend" instead of
regex:!"Host|3a|*trend"?


No, the hostnames are huge monsters of things, hanging off akami and all
sorts of other providers. The one thing they have in common is that the
hostnames all contain the string "trend".

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: