[Snort-users] Logical AND in rule options, in particular in content option.

Max Vision vision at ...4...
Tue Oct 3 01:46:53 EDT 2000


On Mon, 2 Oct 2000, Nick Stanescu wrote:
> 	Is it possible to have a rule similar to this:
> alert tcp $HOME_NET 80 -> !$HOME_NET any (msg: "Alert: text found";
> content:"string1" && "string2"; nocase;)
> 	logging and alerting only when packets contain both string1 AND
> string2?!

You can stack content strings like this:

alert tcp $HOME_NET 80 -> !$HOME_NET any (msg: "Alert- text
found"; content:"string1"; content:"string2"; nocase;)

Max





More information about the Snort-users mailing list