[Emerging-Sigs] FP on 2011031?

evilghost@packetmail.net evilghost at packetmail.net
Thu Oct 7 16:13:48 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 10/07/2010 03:09 PM, evilghost at packetmail.net wrote:
> If that's the case shouldn't the rule just contain one content match
>> like this "content:!"GET "; depth:4;"

Also meant to add, a rule like this would alert on *everything* not
matching HTTP GET.  The goal of the original rule is to match on *any*
form of HGET, regardless of case, as a HTTP METHOD and throw out
(negated content match) data matching literal "GET "; depth:4;.

Also you can't have a Snort rule that's only compromised of a negated
content match since it'd alert on everything not matching that negation.

- -evilghost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMrin8AAoJENgimYXu6xOHJEcP/1jiXpVR+KuVym73fJUvql79
kdg3Q8Pd6/TPfKYYzwvnvUiq6rK9/RoOliUNdj6lxUu5FQFMEZ/CLqXjRaPI6IEW
gP04g0qwoB3tYaPuTn5wAF+FeDG06EeCe1P9qkO8Dqvsek5901xIBdcommCnxNSg
fvwA7beiyGgwIzyjZnrLjEM65TwFxOraUMbfdjynKp/YIAIhgnQLKifj4Ai8aYrO
DNzVUan8mHovwP60M6xHk/e6Ap+iW/nbthDM8KC0ukeAo/kMrUHYXleaKO2dzisG
ERFqXAv3b2w89jX/nczEoiJ2bCCyGDvpqMSdzMcIRbYU6drMNFNL51To7OdjHeNk
+WbZxrdKqxngeO+dJjTHNiLXbFFRryPn5kaA81HeO8Cie6+b5E127gU20v0lzsrU
5oiwXZ2peiW0bLSUXo3y32gIOBslQinJhPdoCcYX0npJnElu2dQIGr6YOgLJM41P
K2Lay0UtI2yxG2UNjfzxIDAv6Av3D+1Ek3Ie5kLlPQ8oylP1PCI7uo7jxr4YrfJM
o0LiB1NJQwx0nFQyA7Fxqd8QYmBtjjugx26DSwLF0GKzYLVeMqTdQ4XYs7ea1zka
w4sTjvYWw+C3LAWeTGnVByJUhDdacW2NEuwo5wY8aVSBAR4uawu8uyM7PHD5Qm3f
6nQF6FQkP2z0SHaX3vLh
=Olit
-----END PGP SIGNATURE-----



More information about the Emerging-sigs mailing list