[Snort-sigs] To build a logical AND expression
bmc at ...95...
Mon Dec 15 06:55:12 EST 2003
On Mon, Dec 15, 2003 at 11:54:21AM +0100, Martin Olsson wrote:
> I don't know how snort handle the doe_pointer when content searches
> DON'T match. If it is unmodified, I guess you could just add another
> inverted content search in order to create a logical AND...
> msg:"SMTP HELO overflow attempt"; flow:to_server,established;
> content:"HELO "; offset:0; depth:5; content:!"|0a|"; within:500;
> content:!"|0d|"; within:500;
IIRC, it should. However, you might just want to update to CURRENT
(soon to be 2.1) and use pcre.
More information about the Snort-sigs