Snort mailing list archives
RE: Multiple CONTENT: rule
From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Tue, 21 Aug 2001 19:07:24 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----Original Message----- From: Ben Johansen [mailto:benj () intelisoft net] Sent: Tuesday, August 21, 2001 6:07 PM
Ben, how about: pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI calendar access";flags: A+; uricontent:"/calendar.html"; nocase; classtype:attempted-recon; sid:882; rev:1;) followed by: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI calendar access";flags: A+; uricontent:"/calendar"; nocase; classtype:attempted-recon; sid:882; rev:1;) Regards, Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME encrypted email preferred. iQA/AwUBO4L3vJytSsEygtEFEQKZiQCfXvcDkWOao0HP8Zb2P7KN57XupskAoPmh jAwzwDcup2J+PGDh2giCY5Pm =7PAW -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multiple CONTENT: rule Ben Johansen (Aug 21)
- <Possible follow-ups>
- RE: Multiple CONTENT: rule Frank Knobbe (Aug 21)