[Oisf-users] endswith
Jason Williams
jwilliams at emergingthreats.net
Tue Apr 17 15:32:58 UTC 2018
endswith; and startswith; can be used in 4.1beta and forward. Endswith is
an easier way to express the same thing as isdataat:!1,relative;
I don't believe there is any significant performance case to use one over
the other, just easier to write/understand.
On Tue, Apr 10, 2018 at 6:33 AM, erik clark <philosnef at gmail.com> wrote:
> Wow, so, learn something new every day (recent post on list).
>
> Does endswith work with negation?
>
> content:!"realdomain.com"; endswith;
>
> Im looking at this as a way to revamp ETPro sigs for phishing by excluding
> the valid domains from the signature with this method. Currently it uses
> isdataat, but endswith seems better? Is it more resource intensive than
> isdataat?
>
> Thanks!
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180417/53cedf67/attachment.html>
More information about the Oisf-users
mailing list