[Snort-sigs] Why not the otherway around??
cmg at ...26...
Wed Oct 17 18:40:15 EDT 2001
Brian <bmc at ...95...> writes:
> According to Chris Green:
> > To lower this type of false positive rate, I have thought about
>> creating something like "passcontent: admin_cmd.exe" that would work
> why passcontent?
Because I forgot about the following. Thanks :-)
> use the following
> uricontent:"cmd.exe"; uricontent:!"admin_cmd.exe";
> That should work. (If I remember correctly)
Ahh forgot about the [!] stuff. Since i've typed it again and now in
a real rule, my brain will remember it.
Chris Green <cmg at ...26...>
This is my signature. There are many like it but this one is mine.
More information about the Snort-sigs