Snort mailing list archives
Re: (no subject)
From: Erick Mechler <emechler () techometer net>
Date: Tue, 10 Dec 2002 08:12:45 -0800
:: I would to write a rule, alerting for 'NOT' a specific content. :: The problems arises, when I try to use "Multiple Contents" (I'm wanting to use :: multiple 'OR' expressions) :: :: The Logic: :: Alert if content is, NOT 'ABC' OR NOT 'DEF' OR NOT 'GHI' I think the best way to do this would be to write 4 rules in your own library, not just one rule. The first three will check that the content doesn't match the given binary string, and the last one will alert if it's reached.
From Section 2.1 of the Snort Manual:
All of the elements in that make up a rule must be true for the indicated rule action to be taken. When taken together, the elements can be considered to form a logical AND statement. At the same time, the various rules in a Snort rules library file can be considered to form a large logical OR statement. What I would suggest: pass udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RTP TRAFFIC"; content: !"|80 04";) pass udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RTP TRAFFIC"; content: !"|80 05";) pass udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RTP TRAFFIC"; content: !"|81 c8";) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"NON RTP TRAFFIC";) FAQ entry 3.13 should explain how this would get converted into a rulechain. http://www.snort.org/docs/faq.html#3.13 Cheers - Erick ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: (no subject), (continued)
- Re: (no subject) hackerwacker (Oct 14)
- Re: (no subject) Erek Adams (Oct 14)
- RE: (no subject) Bob Dehnhardt (Oct 14)
- (no subject) Nanabhay Mohamed * Group (GP) (Oct 16)
- (no subject) Kreimendahl, Chad J (Oct 22)
- (no subject) Ha Tu (Oct 27)
- Re: (no subject) Erek Adams (Oct 27)
- (no subject) Philippe Dhont (Sea-ro) (Nov 18)
- Re: (no subject) Xavi Altafulla (Nov 18)
- (no subject) counterping (Dec 10)
- Re: (no subject) Erick Mechler (Dec 10)
- Error using the -T option Mike Koponick (Dec 10)
- Re: Error using the -T option Erick Mechler (Dec 10)
- RE: Error using the -T option Mike Koponick (Dec 10)
- Re: (no subject) Erick Mechler (Dec 10)
- Re: (no subject) James-lists (Dec 12)