[Oisf-users] endswith

erik clark philosnef at gmail.com
Tue Apr 10 11:33:30 UTC 2018

Wow, so, learn something new every day (recent post on list).

Does endswith work with negation?

content:!"realdomain.com"; endswith;

Im looking at this as a way to revamp ETPro sigs for phishing by excluding
the valid domains from the signature with this method. Currently it uses
isdataat, but endswith seems better? Is it more resource intensive than

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180410/ac52080a/attachment.html>

More information about the Oisf-users mailing list