Snort mailing list archives
RE: Need help with a rule
From: "Estes, Matt CPR / FCBS" <Matt.Estes () eis army mil>
Date: Wed, 10 Apr 2002 08:39:33 -0400
Why not just use a pass rule for "twentyone" and then an alert rule for "twenty"? Make sure you pass the -o option to use pass rules. Matt
-----Original Message----- From: Ryan Russell [mailto:ryan () securityfocus com] Sent: Tuesday, April 09, 2002 6:43 PM To: Sheahan, Paul (PCLN-NW) Cc: Snort List (E-mail) Subject: RE: [Snort-users] Need help with a rule In that case, you'd produce a set of rules, each of which look for one of the following: twenty. twenty, twenty(space) etc.. Not very elegant, I know. Snort is supposed to improve regex features in 2.0 I think, that may help then. Ryan On Tue, 9 Apr 2002, Sheahan, Paul (PCLN-NW) wrote:In some cases I do know the set of characters that mightfollow "twenty".Let's say I want an alert for "twenty" but not "twentyone"and that is it.Do you think that might be possible to create a rule for? Thanks again! -----Original Message----- From: Ryan Russell [mailto:ryan () securityfocus com] Sent: Tuesday, April 09, 2002 6:22 PM To: Sheahan, Paul (PCLN-NW) Cc: Snort List (E-mail) Subject: Re: [Snort-users] Need help with a rule On Tue, 9 Apr 2002, Sheahan, Paul (PCLN-NW) wrote:I'm looking to create a rule that looks for content suchas the word"twenty", but don't want to the rule to trip when the content is "twentyone", "twentytwo" etc.I don't think so, unless you know the whole set ofcharacters that mightfollow "twenty", such as space, period, comma, etc.. Ryan_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Need help with a rule Sheahan, Paul (PCLN-NW) (Apr 09)
- Re: Need help with a rule Ryan Russell (Apr 09)
- <Possible follow-ups>
- RE: Need help with a rule Sheahan, Paul (PCLN-NW) (Apr 09)
- RE: Need help with a rule Ryan Russell (Apr 09)
- Re: Need help with a rule Andreas Östling (Apr 10)
- RE: Need help with a rule Estes, Matt CPR / FCBS (Apr 10)