[Snort-sigs] combining two rules?

Steven Bairstow sab139 at ...715...
Fri Feb 20 12:43:06 EST 2004


Is there any way that two rules that match on data differing only by one bit being set can be combined into one?  As an example, here were 28 becomes 29:


alert udp $HOME_NET any -> $HOME_NET any (msg:"test test 1"; content:"|28 10 4C 4F|";)
alert udp $HOME_NET any -> $HOME_NET any (msg:"test test 2"; content:"|29 10 4C 4F|";)


-- 


Steven Bairstow                  http://www.personal.psu.edu/~sab139
Computer and Network Services - Sutherland Building
Penn State University - Abington College

"The machine is a marvelous simplifier... and may be the modern 
emancipator of the creative mind." -- Frank Lloyd Wright




More information about the Snort-sigs mailing list