[Oisf-users] endswith

Jason Williams jwilliams at emergingthreats.net
Tue Apr 17 15:32:58 UTC 2018

endswith; and startswith; can be used in 4.1beta and forward. Endswith is
an easier way to express the same thing as isdataat:!1,relative;

I don't believe there is any significant performance case to use one over
the other, just easier to write/understand.

On Tue, Apr 10, 2018 at 6:33 AM, erik clark <philosnef at gmail.com> wrote:

> Wow, so, learn something new every day (recent post on list).
> Does endswith work with negation?
> content:!"realdomain.com"; endswith;
> Im looking at this as a way to revamp ETPro sigs for phishing by excluding
> the valid domains from the signature with this method. Currently it uses
> isdataat, but endswith seems better? Is it more resource intensive than
> isdataat?
> Thanks!
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180417/53cedf67/attachment.html>

More information about the Oisf-users mailing list