[Snort-sigs] (no subject)

alex dina alexander_dina at ...144...
Mon Mar 25 16:16:20 EDT 2013


 
Hi,
Please shade some light on the rules below. I would like to modify the original rule 1 not to alert on the content “kijiji.com” but only alert on “jiji.com”. Please see rules 2 & 3, will either be the correct syntax to accomplish the intent? 
Thank you! 
 
1. alert tcp $HOME_NET any <> $EXTERNAL_NET 80 (msg:"Known Intrusion Set DNS beacon over port 80"; flow:established,to_server; content:"jiji.com"; nocase; reference:"High Side SpreadSheet"; sid:1001570; rev:1; classtype:unknown; )  
2.  alert tcp $HOME_NET any <> $EXTERNAL_NET 80 (msg:"Known Intrusion Set DNS beacon over port 80"; flow:established,to_server; content: "jiji.com" & ! “kijiji.com”; nocase; reference:"High Side SpreadSheet"; rev:2; classtype:unknown; )
 
3. alert tcp $HOME_NET any <> $EXTERNAL_NET 80 (msg:"Known Intrusion Set DNS beacon over port 80"; flow:established,to_server; content: "jiji.com"; ! “kijiji.com”; nocase; reference:"High Side SpreadSheet"; rev:2; classtype:unknown; )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130325/abb95e2b/attachment.html>


More information about the Snort-sigs mailing list