[Snort-sigs] (no subject)

Brian bmc at ...95...
Tue Feb 24 08:40:01 EST 2004


On Fri, Feb 20, 2004 at 04:35:46PM -0000, Abimbola, Abiola wrote:
> I tried to trigger an alert if and only if the keywords « John », « Napier »
> and « University » appear in this order, within say 20 packets. Each packet
> can contain each keyword. However, it does not seem to work.
> Any help will do.

alert tcp any any -> any any (content:"John"; flowbits:set,john; flowbits:noalert;)
alert tcp any any -> any any (content:"Napier"; flowbits:isset,john; flowbits:set,napier; flowbits:noalert;)
alert tcp any any -> any any (msg:"John Napier University"; content:"University"; flowbits:isset,napier;)

Brian




More information about the Snort-sigs mailing list