[Snort-sigs] Pure Not Rule not Supported?

Matt Kettler mkettler at ...189...
Mon Mar 8 12:28:10 EST 2004


At 01:01 PM 3/4/2004, Amanda Meyer wrote:
>alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP, NOT 
>M$ Slow Link Det"; content: ! "WANG2"; dsize: >800; 
>reference:arachnids,246; classtype:bad-unknown; sid:499; rev:3;)
>
>What I hope to accomplish is to have the rule only alert if the large ICMP 
>packet does NOT contain "WANG2,"  however, when I run snort (snort -A fast 
>-bpc e:\snort\etc\snort.conf -l e:\snort\log) with this rule enabled I get 
>the following error:
>
>SNORT DETECTION ENGINE: Pure Not Rule 'ICMP Large ICMP, NOT M$ Slow Link 
>Det' not added to detection engine.  These rules are not supported at this 
>time.

You are correct.. AFAIK a rule with only negated content sections isn't 
supported (yet)... you need at least one positive content before you can do 
a negative content.

ie: content: "foo"; content: ! "bar" is fine, but content: ! "bar" alone is 
a no-go.









More information about the Snort-sigs mailing list