Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: How's best to alert on Web connections that *don't* contain particular content?

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Tue, 25 Feb 2003 15:42:33 -0600
Have you tried removing the asterisk?  regex:!"Host|3a|trend" instead of
regex:!"Host|3a|*trend"?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/



-----Original Message-----
From: Jason Haar [mailto:Jason.Haar () trimble co nz] 
Sent: Tuesday, February 25, 2003 2:47 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] How's best to alert on Web connections that
*don't* contain particular content?


regex:!"Host|3a|*trend";nocase;tag: session, 10,packets;\
classtype:successful-admin;sid:1000001;rev:2;\
reference: url,/secure/cvename.php?name=1000001;)


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: