Snort mailing list archives
(no subject)
From: <counterping () uk2 net>
Date: Tue, 10 Dec 2002 13:18:03 GMT
Hiya, Having a little trouble writing a Snort Rule. (I am new to the game, so pls excuse my ignorance) I would to write a rule, alerting for 'NOT' a specific content. The problems arises, when I try to use "Multiple Contents" (I'm wanting to use multiple 'OR' expressions) The Logic: Alert if content is, NOT 'ABC' OR NOT 'DEF' OR NOT 'GHI' My SNORT Rule: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"NON RTP TRAFFIC"; content: !"|80 04"; content: !"|80 05"; content: !"|81 c8";) This rule does not work, it's treating it as 'ANDs' therefore fails. Any help would be greatly appreciated, cause I'm stuck ... real stuck Cheers Matt C ---------------------------------------------------------- This message was sent using http://uk2.net NEWS - CHEAPEST DEDICATED SERVERS IN THE WORLD - 25/month FREE UK DIAL 0845 609 1370 - username uk2: - password: uk2 UK's FREE Domains, FREE Dialup, FREE Webdesign, FREE email ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject), (continued)
- (no subject) Nathan Whitehouse (Oct 14)
- Re: (no subject) hackerwacker (Oct 14)
- Re: (no subject) Erek Adams (Oct 14)
- RE: (no subject) Bob Dehnhardt (Oct 14)
- (no subject) Nanabhay Mohamed * Group (GP) (Oct 16)
- (no subject) Kreimendahl, Chad J (Oct 22)
- (no subject) Ha Tu (Oct 27)
- Re: (no subject) Erek Adams (Oct 27)
- (no subject) Philippe Dhont (Sea-ro) (Nov 18)
- Re: (no subject) Xavi Altafulla (Nov 18)
- (no subject) counterping (Dec 10)
- Re: (no subject) Erick Mechler (Dec 10)
- Error using the -T option Mike Koponick (Dec 10)
- Re: Error using the -T option Erick Mechler (Dec 10)
- RE: Error using the -T option Mike Koponick (Dec 10)
- Re: (no subject) Erick Mechler (Dec 10)
- (no subject) Nathan Whitehouse (Oct 14)
- Re: (no subject) James-lists (Dec 12)