[Snort-sigs] Sid 21858

Oscar A o_ama_lo at ...12...
Wed Oct 15 14:23:32 EDT 2014


Hi, can somebody help me please, I find only exact matches for the first content

content:"|FF|SMB|A2 00 00 00 00|"; 

But for the second content only match the first 2 hexadecimal values

content:"m|00|s|00|i|00|e|00|x|00|e|00|c|00|.|00|e|00|x|00|e|00 00 00|"

It is not supouse that all content matches must be true for the rule to trigger an event, that is, each content match has
an AND relationship with the others? So why drop events are triggering only when the first content is matched?

Im having this match 4d 00 53 00 49 00 45 00 58 00 45 00 43 00 2E 00 45 00 58 00 45 (00 22 00) but the m s i e x e c . e x e are in upper case and the last three 00 00 00 between parentesis are not maching

Regards!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141015/fd519f4f/attachment.html>


More information about the Snort-sigs mailing list