[Oisf-users] negative content match
Victor Julien
lists at inliniac.net
Thu Dec 7 15:06:44 UTC 2017
On 07-12-17 14:31, erik clark wrote:
> So, I have a rule that has the following stub:
>
>
> content:"paypal.com <http://paypal.com>";http_host;isdataat:0,relative
>
> This checks to confirm the host IS somethingsomething.paypal.com
> <http://somethingsomething.paypal.com>, and always ends in paypal.com
> <http://paypal.com>.
>
> My question is, and this is conjecture because I am having a hard time
> procuring the right pcap, will negating the content make this fire on
> anything that does NOT end in paypal.com <http://paypal.com>? Like so:
>
> content:!"paypal.com <http://paypal.com>";http_host;isdataat:0,relative
To check 'pattern' is the end of the buffer, use
'content:"pattern"; isdataat:!1,relative;'
To check that there is data after 'pattern', use
'content:"pattern"; isdataat:1,relative;'
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list