Why not write two Snort rules?<div><br></div><div>Richard <span></span><br><br>On Tuesday, May 29, 2012, mayssa jemel  wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">



<div><div dir="ltr">
<p style="font-family:Verdana,Arial,Helvetica,sans-serif;font-size:12px;line-height:13px"> </p><p style="line-height:13px"><font face="Arial" size="3">hi to all, </font></p><p style="line-height:13px"><font face="Arial" size="3"><br>
</font></p><p style="line-height:13px"><font face="Arial" size="3">I am a <span>student</span> in <span></span><span>telecomparis</span> <span>tech</span> <span></span><span>France</span> <span>and</span> <span></span><span>i</span> am <span></span><span>interresting</span> on <span>snort</span> </font></p>
<p style="line-height:13px"><font face="Arial" size="3"><br></font></p><font face="Arial" size="3"><span style="line-height:13px">Actually</span></font><font face="Arial" size="3" style="line-height:13px"><span>, I</span> am <span>working</span> on <span>adding</span> <span>some</span> <span></span><span>functionnalities</span> to <span><span><span><span><span>snort</span></span></span>  in my <span><span><span>master</span></span></span> <span><span><span>project</span></span></span></span></span>.</font><br>
<p style="line-height:13px"><font face="Arial" size="3"><br></font></p><p style="line-height:13px"><font face="Arial" size="3"><span>The</span> <span>idea</span> is to <span>add</span> <span>logic</span> <span><span></span><span>operatiors</span></span> in <span>the</span> <span>option</span> <span>field</span> of <span>snort</span> <span>rules</span> to <span>optimize</span> <span>the</span> <span>detection</span> of <span></span><span>attacks</span></font></p>
<p style="line-height:13px"><font face="Arial" size="3"><span><br></span></font></p><p style="line-height:13px"><font face="Arial" size="3"><span></span><span>For example</span> <span>rules</span> <span>become </span>:</font></p>
<p style="line-height:13px"><font face="Arial" size="3"><br></font></p><p style="line-height:13px"><font face="Arial" size="3"><br></font></p><p style="line-height:13px"><font face="Arial" size="3">     <span>alert</span> <span></span><span>tcp</span> @<span></span><span>src</span> <span></span><span>prtsrc</span> -> @<span>dest</span> <span></span><span>prtdest</span> (<span>content</span>:"FFEE3499" <font color="#ff0000"><b>or</b></font> <span>content</span>: " FFEE5698"; <span></span><span>msg</span>:"*****") </font></p>
<p style="line-height:13px"><font face="Arial" size="3"><br></font></p><p style="line-height:13px"><font face="Arial" size="3"><br></font></p><p style="line-height:13px"><font face="Arial" size="3"><br></font></p><p style="line-height:13px">
<font face="Arial" size="3"><br></font></p><p style="line-height:13px"><font face="Arial" size="3">I <span>really</span> <span>need</span> <span>your</span> <span>experience</span> to <span>help</span> me <span>know</span> if <span>the</span> <span></span><span>realisation</span> is <span>possible</span> <span>and</span> <span>what</span> <span>kind</span> of <span>modifications</span> <span>should</span> <span></span><span>i</span> <span>made</span> in <span>different</span> </font></p>
<p style="line-height:13px"><font face="Arial" size="3"><span><br></span></font></p><p style="line-height:13px"><font face="Arial" size="3"><span>snort</span> <span></span><span>files</span></font></p><p style="line-height:13px">
<font face="Arial" size="3"><span><br></span></font></p><p style="line-height:13px"><font face="Arial" size="3">Thanks in advance</font></p>                                        </div></div>
</blockquote></div>