[Oisf-users] negative content match
erik clark
philosnef at gmail.com
Thu Dec 7 13:31:19 UTC 2017
So, I have a rule that has the following stub:
content:"paypal.com";http_host;isdataat:0,relative
This checks to confirm the host IS somethingsomething.paypal.com, and
always ends in paypal.com.
My question is, and this is conjecture because I am having a hard time
procuring the right pcap, will negating the content make this fire on
anything that does NOT end in paypal.com? Like so:
content:!"paypal.com";http_host;isdataat:0,relative
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171207/fb6c14b4/attachment-0001.html>
More information about the Oisf-users
mailing list