[Snort-sigs] Rule for identifying all trafic except the specefied one
Rajkumar S
rajkumars at ...3234...
Wed Jun 14 15:55:00 EDT 2006
Hi,
We have a link for an ftp server and want to have an alert for all
traffic to the ftp server except for one file type. The file that needs
to pass has a fixed string at the start of the file. I have a rule to
match the contents of the file,
alert tcp any any -> 192.168.3.74 any (msg:"Test Rule";
flow:to_server,established; content: "FOOBAR"; offset:0; depth:6; rev:1;
fwsam: src, 10 seconds;)
fwsam is used for snortsam, for blocking the ip using alerts of snort.
Now I want to negate this rule to alert all streams that do not match
this rule. When I try to use ! operator I get an error about Pure not
rule. I am using snort 2.4.5
Any help will be much appreciated!
raj
More information about the Snort-sigs
mailing list