Snort mailing list archives

Re: Two content variables

From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 5 Apr 2002 17:20:57 -0800 (PST)

On Fri, 5 Apr 2002, Kevin L Pawloski wrote:

Just to clarify what you're asking about, you want something like:

        If content is "xyz" then
                If content is "ABC" then ignore
                else alert;
Right?


Yeah exactly.


Warning:  This is off the top of my head, and right after the Giants Opening
day win--So it may not be perfect.  :)

Use dynamic rules.

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.6

Have the XYZ rule activate the !ABC rule.  Otherwise it will 'do nothing'.

Note:  This will be removed down the road, so don't become dependant upon it.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Two content variables Kevin L Pawloski (Apr 05)
- Re: Two content variables Erek Adams (Apr 05)
- <Possible follow-ups>
- Re: Two content variables Kevin L Pawloski (Apr 05)
  - Re: Two content variables Erek Adams (Apr 05)