[Snort-devel] Little new feature

Martin Roesch roesch at ...48...
Thu Feb 8 11:04:34 EST 2001


Hey guys,
    I know we're working on getting the 1.7.1 bugfix version together,
but last night I added in a new feature: exception matching for content
options.  What this means is that you can specify a bang (!) before the
quoted search string in a content option now and it will search for
payloads that *do not* match the specified pattern.  This can be
especially useful when you want to search for a payload that has one
thing but not another.  Here's a simple rule to demonstrate usage of
this new feature:

alert tcp any any -> $HOME_NET 80 (flags: A+; content: "HEAD"; nocase;
content: !"GET"; nocase; msg: "exception content rule example";)

I predict this might be useful for something in the near future... :)

Anyway, this should be available in the daily tarball at sourceforge
later on today or directly from CVS immediately.

    -Marty

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list