[Snort-sigs] Questions 101

Esler, Joel Contractor EslerJ at ...785...
Thu Apr 3 13:09:34 EST 2003


i did a  content:"%20" and the rule works, don't know what it will pick up,
but I figure everything has a freaking space in it at some point.



-----Original Message-----
From: Chris Green [mailto:cmg at ...435...]
Sent: Thursday, April 03, 2003 4:05 PM
To: Esler, Joel Contractor
Cc: Snort Sigs
Subject: Re: [Snort-sigs] Questions 101


"Esler, Joel  Contractor" <EslerJ at ...785...> writes:

> To create a rule to look for specific IP's regardless of content would
be???
>
> alert tcp <IP> any -> $home_net any; (MSG:<IP>; content:""; nocase;
> classification:misc-activity;)

alert ip 192.168.1.1 any -> $HOME_NET any (msg: "I want my... I want my...
AYE PEA";)
-- 
Chris Green <cmg at ...435...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod




More information about the Snort-sigs mailing list