[Snort-users] (no subject)

counterping at ...5767... counterping at ...5767...
Tue Dec 10 04:14:03 EST 2002


Hiya,

Having a little trouble writing a Snort Rule. (I am new to the game, so pls 
excuse my ignorance)

I would to write a rule, alerting for 'NOT' a specific content.
The problems arises, when I try to use "Multiple Contents" (I'm wanting to use 
multiple 'OR' expressions)

The Logic: 
Alert if content is,  NOT 'ABC'  OR   NOT 'DEF'  OR   NOT 'GHI'

My SNORT Rule:
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"NON RTP TRAFFIC"; 
content: !"|80 04"; content: !"|80 05"; content: !"|81 c8";) 


This rule does not work, it's treating it as 'ANDs' therefore fails.
Any help would be greatly appreciated, cause I'm stuck ... real stuck
Cheers
Matt C



----------------------------------------------------------
This message was sent using                 http://uk2.net
NEWS - CHEAPEST DEDICATED SERVERS IN THE WORLD -  25/month
FREE UK DIAL 0845 609 1370 - username uk2: - password: uk2
UK's FREE Domains, FREE Dialup, FREE Webdesign, FREE email






More information about the Snort-users mailing list