[Snort-users] content rule

Aditya at ...7657... Aditya at ...7657...
Tue Dec 3 16:26:03 EST 2002

Hi friends

I need to capture two contents, one content depends on the other....
like this
alert tcp any any -> 80 
(content: "|AB432CDEF|";content: " |1AC2FEB345|";depth: 5; 
msg: "malicious activity")

Only the combination of these two generate malicious activity

Any ideas?


INPE ( Brazilian Space Research Institute)
Networking&Information Security Group

More information about the Snort-users mailing list