[Snort-users] regexp for content
roman at ...438...
Wed Nov 29 14:13:58 EST 2000
Did you use the '-o' command-line option when starting snort so that
the rule evaluation order is 'Pass|Alert|Log' instead of 'Alert|Log|Pass'?
On Wed, 29 Nov 2000 grina at ...879... wrote:
> Is there any practical way to do regexp matching in the
> At this point, I'm trying to create a rule that matches all outgoing
> requests except for GET.
> I tried ignoring (pass rule) the GET first, and then grabbing the rest
> the outgoing HTTP sessions. Any idea why these 2 rules don't work as I
> pass tcp any any -> any 80 (msg:"pass HTTP GET";content:"GET
> alert tcp any any -> any 80 (msg:"HTTP session";session:printable;)
> This case would be a trivial regexp example, but I imagine that more
> complicated regexps would be quite useful as long as they don't bog down
> the system.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
More information about the Snort-users