<div dir="ltr">endswith; and startswith; can be used in 4.1beta and forward. Endswith is an easier way to express the same thing as isdataat:!1,relative;<div><br></div><div>I don't believe there is any significant performance case to use one over the other, just easier to write/understand.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 10, 2018 at 6:33 AM, erik clark <span dir="ltr"><<a href="mailto:philosnef@gmail.com" target="_blank">philosnef@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Wow, so, learn something new every day (recent post on list).<div><br></div><div>Does endswith work with negation?</div><div><br></div><div>content:!"<a href="http://realdomain.com" target="_blank">realdomain.com</a>"; endswith;</div><div><br></div><div>Im looking at this as a way to revamp ETPro sigs for phishing by excluding the valid domains from the signature with this method. Currently it uses isdataat, but endswith seems better? Is it more resource intensive than isdataat?</div><div><br></div><div>Thanks!</div></div>
<br>______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br></blockquote></div><br></div>