|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Martin Roesch (roesch
md.prestige.net)Date: Tue Mar 06 2001 - 12:43:10 CST
Hi Steve,
This feature is in the latest version of Snort in CVS. Basically,
you use it like this:
alert tcp !$HOME_NET any -> $HOME_NET 21 \
(flags: A+; content: "USER"; nocase; content: !"anonymous"; nocase; \
msg: "Non-anonymous login attempted to FTP server";)
Note the "!" before the "anonymous" in the second content check. That's
how you use the content exception matching.
-Marty
Steve Halligan wrote:
>
> I remember seeing something on this list, that I can't seem to find now,
> about using ! in the content field. Is this true? If so what is the
> syntax? Can it be used in conjunction with a regular content entry in a
> this but not this kinda way?
>
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
-- Martin Roesch roesch_______________________________________________ Snort-users mailing list Snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]