[Snort-sigs] Pure Not Rule not Supported?
mkettler at ...189...
Mon Mar 8 12:28:10 EST 2004
At 01:01 PM 3/4/2004, Amanda Meyer wrote:
>alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP, NOT
>M$ Slow Link Det"; content: ! "WANG2"; dsize: >800;
>reference:arachnids,246; classtype:bad-unknown; sid:499; rev:3;)
>What I hope to accomplish is to have the rule only alert if the large ICMP
>packet does NOT contain "WANG2," however, when I run snort (snort -A fast
>-bpc e:\snort\etc\snort.conf -l e:\snort\log) with this rule enabled I get
>the following error:
>SNORT DETECTION ENGINE: Pure Not Rule 'ICMP Large ICMP, NOT M$ Slow Link
>Det' not added to detection engine. These rules are not supported at this
You are correct.. AFAIK a rule with only negated content sections isn't
supported (yet)... you need at least one positive content before you can do
a negative content.
ie: content: "foo"; content: ! "bar" is fine, but content: ! "bar" alone is
More information about the Snort-sigs