Added by Will Metcalf over 16 years ago. Updated over 16 years ago.
Description
for example content:!"PASS"; is completely valid in snort but doesn't work in our engine. However content:"!PASS"; does. unit test attached to display the issue.
Files
| 0001-failing-unit-test-for-outside-of-negated-content.patch (1.42 KB) 0001-failing-unit-test-for-outside-of-negated-content.patch | failing unittest for ! outside of "" in negated content matches | Will Metcalf, 11/19/2009 04:52 PM | |
| 0001-Fix-for-handling-negated-content-CONTENT.patch (3.36 KB) 0001-Fix-for-handling-negated-content-CONTENT.patch | Anoop Saldanha, 12/02/2009 12:13 AM |
Will Metcalf wrote:
for example content:!"PASS"; is completely valid in snort but doesn't work in our engine.
I thought it does. I think it is the other way round. !\"CONTENT\" is supported
However content:"!PASS"; does. unit test attached to display the issue.
This isn't supported.
The test patch you supplied would fail, because you have called SigTestNegativeTestContent and not SigTestPositiveTestContent.
If you meant \"!PASS\" should also be supported, here is a patch.;
Applied, thanks guys.