0

If I do something like 

alert tcp any any <> any any (content:"TestA"; content:"TestB"; sid:1000000; msg:"Syntax correct!";)

then the syntax is correct, but, what I would like to do is to match either "TestA" or "TestB". So if I get "TestA" from somewhere to my local IP I am alerted and if I respond with "TestB" I am also alerted. This config only activates when both are present.

Is there a way to do this in the same line or do I have to just define new rules? Optimally it would be something like 

alert tcp any any <> any any (content:["TestA","TestB"]; something-else-to-do-or-over-the-list; sid:1000000; msg:"..";)

But do not find anything in the manual that can do that, the closest is a content-list but have not gotten that to work as I want either.

Pcre also seems like it could be an alternative, but it want me to insert some text into content before I can use regex. Is there even an OR operation in snort?

Salviati
  • 101
  • 5

1 Answers1

0

It is correct that it is possible to use pcre. In this example it would look like this

alert tcp any any <> any any (pcre:"/TestA|TestB/"; sid:1000000; msg:"Syntax correct!";)

As of now I do not know any other way of doing it

Salviati
  • 101
  • 5
  • But using pcre is likely slower than a string match. It might be faster to have two rules instead, one for TestA and one for testB. – Steffen Ullrich May 18 '20 at 14:25
  • Yeah I know it is slow, and I agree that it would be better to have two rules, but in this case I had to do it in one line. – Salviati May 18 '20 at 22:14