[Snort-sigs] Multiple Keyword Sig, is it possible?

Erik de Castro Lopo erikd+snort at ...2555...
Wed Jun 16 22:43:04 EDT 2004


On Thu, 17 Jun 2004 00:21:36 -0500
Jeffrey Lowe <jeffrey.lowe at ...2440...> wrote:

> Is it possible to create a sig that will trigger on a variety of keywords 
> instead of needing a separate sig for each keyword? Such as a sig that 
> triggers on one of twenty different keywords?

Errr, PCRE?

    pcre:"/(one|two|three|four)/"

Should trigger on any of the above words.

However, according to this:

    http://www.snort.org/docs/snort_manual/node21.html

using PCRE without a CONTENT rule is not recommended.

Erik
-- 
------------------------------------------------------
[N] Erik de Castro Lopo, Senior Computer Engineer
[E] erik.de.castro.lopo at ...2555...
[W] http://www.sensorynetworks.com
[T] +61 2 83022726 
[F] +61 2 94750316 
[A] L4/140 William St, East Sydney NSW 2011, Australia
------------------------------------------------------
A good debugger is no substitute for a good test suite.




More information about the Snort-sigs mailing list