|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: A.L.Lambert (max
xjack.org)Date: Wed Jun 20 2001 - 07:50:03 CDT
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing C:";
> content:"c\:"; nocase;)
Just as a general FYI to the list, having shot myself in the foot
once or twice this way - if you're using a centralized syslog server,
rules like the one above will set up an 'endless loop' of alerts.
Rule of thumb: never put the exact content:"" in the msg:"".
For the above, I'd recommend something like:
alert <blah blah> (msg:"Outgoing C prompt"; "content:"c\:"; nocase;)
Cheers!
-- A.L.Lambert
------------------------------------------------------------------------
Everything should be made as simple as possible, but not simpler.
-Einstein
------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]