[Snort-users] Writing a "not" snort rule

ntbuck12 at ...131... ntbuck12 at ...131...
Tue Mar 19 14:30:10 EDT 2013


Attention Joe and snort rule writers. I have read a fair amount of information on writing rules, but now I am stuck on how to to this.

How could I detect on the following scenario? - Alert on any packet that contains ANYTHING OTHER THAN "message1", "message2" or "message3", in a certain field.

Obviously I could use offset and depth to narrow down to the field I'm looking at, but now to a do a "negative search". Ideas?


Side Note: I'm pretty sure whatever Joe Esler gets paid isn't nearly enough. I love the blogs too, Joe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130319/2bc5ffe3/attachment.html>


More information about the Snort-users mailing list