Forum Discussion

1 Reply

  • nathe's avatar
    Icon for Cirrocumulus rankCirrocumulus

    And definitely, you can list the consituent parts of an attack sig e.g.

    headercontent:"curl"; nocase; valuecontent:"curl"; norm;
    would check for curl in the header fields AND curl in a parameter, the attack sig would trigger if both existed.

    As for OR - i think you have to use regex for this in the signature (re2 or pcre).

    Hope this helps,