[Snort-users] using ! in content

Martin Roesch roesch at ...421...
Tue Mar 6 13:43:10 EST 2001


Hi Steve,
     This feature is in the latest version of Snort in CVS.  Basically,
you use it like this:

alert tcp !$HOME_NET any -> $HOME_NET 21                            \
(flags: A+; content: "USER"; nocase; content: !"anonymous"; nocase; \
msg: "Non-anonymous login attempted to FTP server";)

Note the "!" before the "anonymous" in the second content check.  That's
how you use the content exception matching.

     -Marty

Steve Halligan wrote:
> 
> I remember seeing something on this list, that I can't seem to find now,
> about using ! in the content field.  Is this true?  If so what is the
> syntax?  Can it be used in conjunction with a regular content entry in a
> this but not this kinda way?
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list