[Snort-sigs] To build a logical AND expression

Brian bmc at ...95...
Mon Dec 15 06:55:12 EST 2003


On Mon, Dec 15, 2003 at 11:54:21AM +0100, Martin Olsson wrote:
> I don't know how snort handle the doe_pointer when content searches
> DON'T match. If it is unmodified, I guess you could just add another
> inverted content search in order to create a logical AND...
> 
> msg:"SMTP HELO overflow attempt"; flow:to_server,established;
> content:"HELO "; offset:0; depth:5; content:!"|0a|"; within:500;
> content:!"|0d|"; within:500;

IIRC, it should.  However, you might just want to update to CURRENT
(soon to be 2.1) and use pcre.

-brian




More information about the Snort-sigs mailing list