Snort mailing list archives
Re: Not uricontent
From: "lists () packetmail net" <lists () packetmail net>
Date: Thu, 23 Feb 2012 16:49:16 -0600
On 02/23/12 15:40, Andrew Torres wrote:
Can and advise on a method to write a rule that says all content except uricontent. An example of this would be looking for a string in the body of the text but not in the uri. Please Advise. Thanks
Hi Andrew, so when you use the content:"" keyword unconstrained to a buffer you end up with a situation like you've described. There are two ways to approach this: 1) You could use some of the http_* content modifiers like http_header, http_client_body, http_cookie, etc. 2) Could you use use a plain content match coupled with a negated content match against http_uri. Consider the below: #Match 'foo' but not if 'foo' is in the URI content:"foo"; content:!"foo"; http_uri; Thanks, Nathan ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Not uricontent Andrew Torres (Feb 23)
- Re: Not uricontent lists () packetmail net (Feb 23)