[Snort-sigs] Rule thoughts

James Lay jlay at ...3266...
Thu Sep 6 17:36:40 EDT 2012


On 2012-09-06 16:34, rmkml wrote:
> Hi,
>
> and maybe checking don't have <LF> for reduce possible FP like this:
>
> content:"mailto:<"; isdataat:1500,relative; content:!">";
> within:1501; content:!"|0A|"; within:1501;
>
> Regards
> Rmkml
>
> http://twitter.com/rmkml
>
>
> On Thu, 6 Sep 2012, James Lay wrote:
>
>> On 2012-09-06 13:25, lists at ...3397... wrote:
>>> On 09/06/12 14:08, James Lay wrote:
>>>> Any pointers would help...thank
>>>
>>> What about:
>>>
>>> content:"mailto:<"; isdataat:1500,relative; content:!">";
>>> within:1501;
>>
>> Thanks Nathan...that helps my understanding.
>>
>> James

Oh good call...thanks Rmkml!

James




More information about the Snort-sigs mailing list