[Snort-sigs] Why not the otherway around??

Chris Green cmg at ...26...
Wed Oct 17 18:40:15 EDT 2001

Brian <bmc at ...95...> writes:

> According to Chris Green:
> > To lower this type of false positive rate, I have thought about
>> creating something like "passcontent: admin_cmd.exe" that would work

> why passcontent?

Because I forgot about the following.  Thanks :-)

> use the following
> uricontent:"cmd.exe"; uricontent:!"admin_cmd.exe";
> That should work.  (If I remember correctly)

Ahh forgot about the [!] stuff.   Since i've typed it again and now in
a real rule, my brain will remember it.
Chris Green <cmg at ...26...>
This is my signature. There are many like it but this one is mine.

More information about the Snort-sigs mailing list