Forum Discussion
- natheCirrocumulus
And definitely, you can list the consituent parts of an attack sig e.g.
would check for curl in the header fields AND curl in a parameter, the attack sig would trigger if both existed.headercontent:"curl"; nocase; valuecontent:"curl"; norm;
As for OR - i think you have to use regex for this in the signature (re2 or pcre).
Hope this helps,
N