Snort mailing list archives
Multiple CONTENT: rule
From: "Ben Johansen" <benj () intelisoft net>
Date: Tue, 21 Aug 2001 16:06:56 -0700
Hi All. Lets say I have a file called "calendar.html" in the root of my website. current rule in web-cgi.rules (giving me false positives) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI calendar access";flags: A+; uricontent:"/calendar"; nocase; classtype:attempted-recon; sid:882; rev:1;) to alter the uricontent to exclude calendar.html from triggering the rule would it look like this? alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI calendar access";flags: A+; uricontent:"/calendar"; uricontent:!"/calendar.html"; nocase; classtype:attempted-recon; sid:882; rev:1;) I Think this rule is for CVE-2000-0432 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0432 It says under content (pg16) of 1.8.1 Snort Users manual states "Note that multiple content rules can be specified in one rule" but doesn't give example Ben Johansen - www.pcforge.com list commands: www.pcforge.com/WiTangoTalk.htm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multiple CONTENT: rule Ben Johansen (Aug 21)
- <Possible follow-ups>
- RE: Multiple CONTENT: rule Frank Knobbe (Aug 21)