Re: (no subject)

[Erick Mechler <emechler () techometer net>]

:: I would to write a rule, alerting for 'NOT' a specific content.
:: The problems arises, when I try to use "Multiple Contents" (I'm wanting to use 
:: multiple 'OR' expressions)
:: 
:: The Logic: 
:: Alert if content is,  NOT 'ABC'  OR   NOT 'DEF'  OR   NOT 'GHI'

I think the best way to do this would be to write 4 rules in your own
library, not just one rule.  The first three will check that the content
doesn't match the given binary string, and the last one will alert if it's
reached.

> From Section 2.1 of the Snort Manual:

  All of the elements in that make up a rule must be true for the indicated 
  rule action to be taken. When taken together, the elements can be 
  considered to form a logical AND statement. At the same time, the various 
  rules in a Snort rules library file can be considered to form a large 
  logical OR statement.

What I would suggest:

pass udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RTP TRAFFIC";
content: !"|80 04";)
pass udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RTP TRAFFIC";
content: !"|80 05";)
pass udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RTP TRAFFIC";
content: !"|81 c8";)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"NON RTP TRAFFIC";)

FAQ entry 3.13 should explain how this would get converted into a 
rulechain.  http://www.snort.org/docs/faq.html#3.13

Cheers - Erick


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users