Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How's best to alert on Web connections that *don't* contain particular content?

From: Brian <bmc () snort org>
Date: Wed, 26 Feb 2003 10:04:12 -0500
On Wed, Feb 26, 2003 at 09:46:32AM +1300, Jason Haar wrote:

alert tcp $DMZES_NETS any -> any 80 (msg:"DMZ host communicating to an \
unsupported service";flow:to_server,established; content:"Host|3a|"; \
regex:!"Host|3a|*trend";nocase;tag: session, 10,packets;\
classtype:successful-admin;sid:1000001;rev:2;\
reference: url,/secure/cvename.php?name=1000001;)


The regex key is massively broken.  Use distance and within (which
provide nearly the same functionality, except that it actually works)

Try this:

alert tcp $DMZES_NETS any -> any 80 (msg:"foo"; flow:to_server,established; \
  content:"Host|3a|"; content:!"trend"; within:250; nocase; \
  tag:session,10,packets; classtype:successful-admin; sid:1000001; rev:2;)

-brian


-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: