[Snort-users] content rule

Aditya at ...7657... Aditya at ...7657...
Tue Dec 3 16:26:03 EST 2002


Hi friends


I need to capture two contents, one content depends on the other....
like this
alert tcp any any -> 192.168.1.0/24 80 
(content: "|AB432CDEF|";content: " |1AC2FEB345|";depth: 5; 
msg: "malicious activity")


Only the combination of these two generate malicious activity


Any ideas?


Aditya


INPE ( Brazilian Space Research Institute)
Networking&Information Security Group





More information about the Snort-users mailing list