Rules with multiple contents specified

["gurmeet singh" <gmeetsingh () hotmail com>]

Hi,

I am new to the snort. Can some one tell me when multiple contents are 
specified in a rule as in the following rule, what does it mean? Does it 
mean that all the contents MUST be matched and does it also mean that they 
should be in the same sequence as specified in the rule or the sequencing 
does not matter (for e.g for the following rule, "uid=" and "(web)" should 
they be in the same sequence or "(web)" can be before "uid=".

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK 
RESPONSES id check returned web"; flow:from_server,established; 
content:"uid="; content:"(web)"; classtype:bad-unknown; sid:1884; rev:2;)

Thanks
GM

_________________________________________________________________
Apply now for a Citibank Suvidha Account.  
http://go.msnserver.com/IN/45532.asp Get a FREE Citibank Picture Card .



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users