[Snort-sigs] Rule thoughts

rmkml rmkml at ...174...
Thu Sep 6 18:34:34 EDT 2012


Hi,

and maybe checking don't have <LF> for reduce possible FP like this:

content:"mailto:<"; isdataat:1500,relative; content:!">"; within:1501; content:!"|0A|"; within:1501;

Regards
Rmkml

http://twitter.com/rmkml


On Thu, 6 Sep 2012, James Lay wrote:

> On 2012-09-06 13:25, lists at ...3397... wrote:
>> On 09/06/12 14:08, James Lay wrote:
>>> Any pointers would help...thank
>>
>> What about:
>>
>> content:"mailto:<"; isdataat:1500,relative; content:!">";
>> within:1501;
>
> Thanks Nathan...that helps my understanding.
>
> James




More information about the Snort-sigs mailing list