(no subject)

[alex dina <alexander_dina () yahoo com>]

Hi,
Please shade some light on the rules below. I would like to modify the original rule 1 not to alert on the content 
“kijiji.com” but only alert on “jiji.com”. Please see rules 2 & 3, will either be the correct syntax to accomplish the 
intent? 
Thank you! 
 
1. alert tcp $HOME_NET any <> $EXTERNAL_NET 80 (msg:"Known Intrusion Set DNS beacon over port 80"; 
flow:established,to_server; content:"jiji.com"; nocase; reference:"High Side SpreadSheet"; sid:1001570; rev:1; 
classtype:unknown; )  
2.  alert tcp $HOME_NET any <> $EXTERNAL_NET 80 (msg:"Known Intrusion Set DNS beacon over port 80"; 
flow:established,to_server; content: "jiji.com" & ! “kijiji.com”; nocase; reference:"High Side SpreadSheet"; rev:2; 
classtype:unknown; )
 
3. alert tcp $HOME_NET any <> $EXTERNAL_NET 80 (msg:"Known Intrusion Set DNS beacon over port 80"; 
flow:established,to_server; content: "jiji.com"; ! “kijiji.com”; nocase; reference:"High Side SpreadSheet"; rev:2; 
classtype:unknown; )

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!