Snort mailing list archives

Previous By Date Next
Previous By Thread Next

plain text in content option triggering false alerts

From: Dan <sophie_bo () earthlink net>
Date: Sat, 13 Dec 2003 10:42:29 -0600 (GMT-06:00)
Hi,

I have a question about whether or not I can tune plain text content for greater granularity and fewer false alerts. 
For example, when searching for netcat usage on the network, I use the following snort rule:

WEB-MISC nc.exe attempt

Desc: This event is generated when an attempt is made to execute Netcat via a web session.

Signature:      alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC nc.exe attempt"; 
flow:to_server,established; content:"nc.exe"; nocase; classtype:web-application-activity; sid:1062; rev:5;)

Problem: Instead of triggering only on “nc.exe”, alerts are being generated any time “nc.exe” is part of a 
word. Sample payload output from three different alerts:
        
<WMIValue>rcsync.exe</WMIValue
<WMIValue>WinVNC.exe</WMIVal
<WMIValue>Sync.exe

I only want the alert triggered when "nc.exe" is found, not when it is found as part of another word. This applies to 
alot of other rules that use plain text content for triggering alerts. Any time the plain text is searched it will 
trigger an alert even if the plain text is inside another word. Another example is the chat IRC NICK change rule, the 
content option "nick" is triggered by:

"Nick Jones"
"nickle"
"Dominick"

How do I tell it to search for only "nick" or only "nc.exe", and not trigger when its part of another word?

Thanks,

Dan



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: