Forum Discussion
nathe
May 09, 2017Cirrocumulus
And definitely, you can list the consituent parts of an attack sig e.g.
headercontent:"curl"; nocase; valuecontent:"curl"; norm;
would check for curl in the header fields AND curl in a parameter, the attack sig would trigger if both existed.
As for OR - i think you have to use regex for this in the signature (re2 or pcre).
Hope this helps,
N