[Snort-users] (no subject)

Erick Mechler emechler at ...7719...
Tue Dec 10 08:13:03 EST 2002


:: I would to write a rule, alerting for 'NOT' a specific content.
:: The problems arises, when I try to use "Multiple Contents" (I'm wanting to use 
:: multiple 'OR' expressions)
:: 
:: The Logic: 
:: Alert if content is,  NOT 'ABC'  OR   NOT 'DEF'  OR   NOT 'GHI'

I think the best way to do this would be to write 4 rules in your own
library, not just one rule.  The first three will check that the content
doesn't match the given binary string, and the last one will alert if it's
reached.



More information about the Snort-users mailing list