Snort mailing list archives
(no subject)
From: alex dina <alexander_dina () yahoo com>
Date: Mon, 25 Mar 2013 13:16:20 -0700 (PDT)
Hi, Please shade some light on the rules below. I would like to modify the original rule 1 not to alert on the content “kijiji.com” but only alert on “jiji.com”. Please see rules 2 & 3, will either be the correct syntax to accomplish the intent? Thank you! 1. alert tcp $HOME_NET any <> $EXTERNAL_NET 80 (msg:"Known Intrusion Set DNS beacon over port 80"; flow:established,to_server; content:"jiji.com"; nocase; reference:"High Side SpreadSheet"; sid:1001570; rev:1; classtype:unknown; ) 2. alert tcp $HOME_NET any <> $EXTERNAL_NET 80 (msg:"Known Intrusion Set DNS beacon over port 80"; flow:established,to_server; content: "jiji.com" & ! “kijiji.com”; nocase; reference:"High Side SpreadSheet"; rev:2; classtype:unknown; ) 3. alert tcp $HOME_NET any <> $EXTERNAL_NET 80 (msg:"Known Intrusion Set DNS beacon over port 80"; flow:established,to_server; content: "jiji.com"; ! “kijiji.com”; nocase; reference:"High Side SpreadSheet"; rev:2; classtype:unknown; )
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- (no subject) Nikola Vulovic (Jan 12)
- Re: (no subject) Joel Esler (Jan 12)
- <Possible follow-ups>
- Re: (no subject) Y M (Jan 12)
- (no subject) Agent Smith (Jan 30)
- Re: (no subject) Joel Esler (Jan 30)
- Re: (no subject) waldo kitty (Jan 30)
- Re: (no subject) Joel Esler (Jan 30)
- (no subject) alex dina (Mar 25)
- Re: (no subject) lists () packetmail net (Mar 25)