One way to do it would be to set those strings you want to match as separate
rules in a separate group. Match the first one, then use the <if_sid> tag
for the subsequent ones. Also, make sure that all rules in the group except
the last one have the noalert="1" property set.
Something like this:
<group name="mygroup">
<rule id="10001" level="0" noalert="1">
<match>String A</match>
</rule>
<rule id="10002" level="0" noalert="1">
<if_sid>10001</if_sid>
<match>String B</match>
</rule>
<rule id="10003" level="10">
<if_sid>10002</if_sid>
<match>String C</match>
<description>Alert! All three strings matched</description>
</rule>
</group>
Not necessarily the best way, but the only way I can think of. The noalerts
are needed to keep those alerts from firing if you match, say, strings A&B
but not C.
On Fri, May 16, 2008 at 11:18 AM, Dan Denton <[EMAIL PROTECTED]> wrote:
>
> Hello list.
>
> I see in the docs there's an OR operand, but is there a way to match
> multiple strings in a rule using an AND operand without using regexes?
>
> Thanks...
>
> Dan
>
>
>
