[Snort-sigs] Content Negation

Gurgen Hakobyan hakobyan at ...3751...
Wed Apr 6 17:30:24 EDT 2016


Hello all,

Is is possible to create a negative rule of a kind: “If content X is not found in a flow within Y time, raise an alert”? 

Let’s say I am looking for a HTTP stream that does not send a POST within n seconds.

There are ways to negate various stuff but I can’t think of how to implement this.

Thanks,
Gurgen


More information about the Snort-sigs mailing list