[Snort-users] Rules with multiple contents specified

gurmeet singh gmeetsingh at ...125...
Mon Apr 5 06:52:07 EDT 2004


Hi,

I am new to the snort. Can some one tell me when multiple contents are 
specified in a rule as in the following rule, what does it mean? Does it 
mean that all the contents MUST be matched and does it also mean that they 
should be in the same sequence as specified in the rule or the sequencing 
does not matter (for e.g for the following rule, "uid=" and "(web)" should 
they be in the same sequence or "(web)" can be before "uid=".

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK 
RESPONSES id check returned web"; flow:from_server,established; 
content:"uid="; content:"(web)"; classtype:bad-unknown; sid:1884; rev:2;)

Thanks
GM

_________________________________________________________________
Apply now for a Citibank Suvidha Account.  
http://go.msnserver.com/IN/45532.asp Get a FREE Citibank Picture�Card�.





More information about the Snort-users mailing list