[Snort-users] Rules with multiple contents specified
gmeetsingh at ...125...
Mon Apr 5 06:52:07 EDT 2004
I am new to the snort. Can some one tell me when multiple contents are
specified in a rule as in the following rule, what does it mean? Does it
mean that all the contents MUST be matched and does it also mean that they
should be in the same sequence as specified in the rule or the sequencing
does not matter (for e.g for the following rule, "uid=" and "(web)" should
they be in the same sequence or "(web)" can be before "uid=".
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
RESPONSES id check returned web"; flow:from_server,established;
content:"uid="; content:"(web)"; classtype:bad-unknown; sid:1884; rev:2;)
Apply now for a Citibank Suvidha Account.
http://go.msnserver.com/IN/45532.asp Get a FREE Citibank Picture�Card�.
More information about the Snort-users