[Oisf-users] negative content match

erik clark philosnef at gmail.com
Thu Dec 7 13:31:19 UTC 2017

So, I have a rule that has the following stub:


This checks to confirm the host IS somethingsomething.paypal.com, and
always ends in paypal.com.

My question is, and this is conjecture because I am having a hard time
procuring the right pcap, will negating the content make this fire on
anything that does NOT end in paypal.com? Like so:


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171207/fb6c14b4/attachment-0001.html>

More information about the Oisf-users mailing list