[Snort-users] Logical AND in rule options, in particular in content option.

C. Jason Coit jasonc at ...47...
Wed Oct 4 23:52:49 EDT 2000


Nick,

The Snort rule language allows you to use multiple content keywords in any
particular rule.  If you want a rule such as the one you listed to check
string1 and string2 without case you simply need to write:

alert tcp $HOME_NET 80 -> !$HOME_NET any (msg: "Alert: text found";
content:"string1"; nocase; content: "string2"; nocase;)

Each content is added with its own options for depth, offset, and case
sensitivity (i.e. nocase option).  You can currently add as many strings to
search for as you like, just keep adding the content keyword followed by the
string to search for.  

See the Snort website on writing Snort Rules.  
http://www.snort.org/writing_snort_rules.htm

regards,

-Jason Coit

Nick Stanescu wrote:
> 
> Hi,
> 
>         Is it possible to have a rule similar to this:
> alert tcp $HOME_NET 80 -> !$HOME_NET any (msg: "Alert: text found";
> content:"string1" && "string2"; nocase;)
>         logging and alerting only when packets contain both string1 AND
> string2?!
> 
> Thanks,
> -n
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-------------------------------------------------
Jason Coit  ---  Silicon Defense
"Intrusion Monitoring and Internet Security Research"
http://www.silicondefense.com/
Voice: (707) 445-4355  ---  Fax: (707) 445-4222



More information about the Snort-users mailing list