[Snort-sigs] Quick rule question

Mike Cox mike.cox52 at ...2420...
Fri Oct 19 10:49:39 EDT 2012


content:".htm"; content:"|22|"; distance:0; within:2; pcre:"/\.html?\x22/";

Obviously this is inefficient without other matching criteria .. what and
and where are you trying to match on exactly?

-Mike Cox

On Fri, Oct 19, 2012 at 9:24 AM, James Lay <jlay at ...3266...> wrote:

> Hey all,
>
> Quick question...trying to match:
>
> .htm"  OR  .html"
>
> my content can be htm and that's fine, but I need to make sure to have
> the end quote at the end.
>
> Thanks all.
>
> James
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20121019/d26747a2/attachment.html>


More information about the Snort-sigs mailing list