Snort mailing list archives
Re: Negate Content - Snort Rules
From: "Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Sat, 12 Jun 2021 17:49:49 +0000
Also, the answer is “because you can’t do a relative match to something that doesn’t exist (distance:1; within:10;)”. So, in order to do what you want to do, you have to do the positive match and then read backwards. Which is why I ask what the error you’re receiving is — Sent from my iPad
On Jun 12, 2021, at 13:48, jesler () cisco com wrote: What is the error you’re receiving? — Sent from my iPadOn Jun 11, 2021, at 10:57, João Pedro Lola via Snort-sigs <snort-sigs () lists snort org> wrote:Hello All, In a snort rule, why can´t i have two negate contents and third not negate content? If i can, how do I write it to work? Example: alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNA_NET $HTTP_PORTS ( msg:"a message..."; flow:stateless; content:!"|76 69 64 65 6f 2f 6d 70 65 67|"; offset:13; depth:10; content:!"|61 75 64 69 6f 2f 6d 70 65 67|"; distance:1; within:10; content:"|61 75 64 69 6f 2f 6d 70 65 67|"; distance:1; within:10; classtype:tcp-connection; sid:3024678; rev:1;) Best Regards, João Lola _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Attachment:
smime.p7s
Description:
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Negate Content - Snort Rules João Pedro Lola via Snort-sigs (Jun 12)
- Re: Negate Content - Snort Rules Joel Esler (jesler) via Snort-sigs (Jun 12)
- Re: Negate Content - Snort Rules Joel Esler (jesler) via Snort-sigs (Jun 12)
- Re: Negate Content - Snort Rules Joel Esler (jesler) via Snort-sigs (Jun 12)