Snort mailing list archives

Previous By Date Next
Previous By Thread Next

(no subject)

From: <counterping () uk2 net>
Date: Tue, 10 Dec 2002 13:18:03 GMT
Hiya,

Having a little trouble writing a Snort Rule. (I am new to the game, so pls 
excuse my ignorance)

I would to write a rule, alerting for 'NOT' a specific content.
The problems arises, when I try to use "Multiple Contents" (I'm wanting to use 
multiple 'OR' expressions)

The Logic: 
Alert if content is,  NOT 'ABC'  OR   NOT 'DEF'  OR   NOT 'GHI'

My SNORT Rule:
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"NON RTP TRAFFIC"; 
content: !"|80 04"; content: !"|80 05"; content: !"|81 c8";) 


This rule does not work, it's treating it as 'ANDs' therefore fails.
Any help would be greatly appreciated, cause I'm stuck ... real stuck
Cheers
Matt C



----------------------------------------------------------
This message was sent using                 http://uk2.net
NEWS - CHEAPEST DEDICATED SERVERS IN THE WORLD -  25/month
FREE UK DIAL 0845 609 1370 - username uk2: - password: uk2
UK's FREE Domains, FREE Dialup, FREE Webdesign, FREE email




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: