Snort mailing list archives
RE: Need help with a rule
From: Ryan Russell <ryan () securityfocus com>
Date: Tue, 9 Apr 2002 16:43:21 -0600 (MDT)
In that case, you'd produce a set of rules, each of which look for one of the following: twenty. twenty, twenty(space) etc.. Not very elegant, I know. Snort is supposed to improve regex features in 2.0 I think, that may help then. Ryan On Tue, 9 Apr 2002, Sheahan, Paul (PCLN-NW) wrote:
In some cases I do know the set of characters that might follow "twenty". Let's say I want an alert for "twenty" but not "twentyone" and that is it. Do you think that might be possible to create a rule for? Thanks again! -----Original Message----- From: Ryan Russell [mailto:ryan () securityfocus com] Sent: Tuesday, April 09, 2002 6:22 PM To: Sheahan, Paul (PCLN-NW) Cc: Snort List (E-mail) Subject: Re: [Snort-users] Need help with a rule On Tue, 9 Apr 2002, Sheahan, Paul (PCLN-NW) wrote:I'm looking to create a rule that looks for content such as the word "twenty", but don't want to the rule to trip when the content is "twentyone", "twentytwo" etc.I don't think so, unless you know the whole set of characters that might follow "twenty", such as space, period, comma, etc.. Ryan
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Need help with a rule Sheahan, Paul (PCLN-NW) (Apr 09)
- Re: Need help with a rule Ryan Russell (Apr 09)
- <Possible follow-ups>
- RE: Need help with a rule Sheahan, Paul (PCLN-NW) (Apr 09)
- RE: Need help with a rule Ryan Russell (Apr 09)
- Re: Need help with a rule Andreas Östling (Apr 10)
- RE: Need help with a rule Estes, Matt CPR / FCBS (Apr 10)