Snort mailing list archives

exact phrase match

From: Dan <sophie_bo () earthlink net>
Date: Mon, 15 Dec 2003 14:39:50 -0600 (GMT-06:00)

OK...let's try this again. When I tell snort to look for "nc.exe" in the payload, I only want it to return alarms with 
an exact match of "nc.exe". However, it triggers alarms even when nc.exe is part of another word, such as:

"sync.exe"
"runc.exe"

I dont care if users are running sync.exe or runc.exe on the network. I am trying to catch people using netcat, thus 
the "nc.exe" search. How do I tell snort to only trigger an alarm on an exact phrase match? Because if I cannot do 
that, I am forced to look through thousands of alarm payloads that are false positives. Clearly a huge waste of time.

Thanks,

Dan


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

exact phrase match Dan (Dec 15)
- Message not available
  - Re: exact phrase match Matt Kettler (Dec 15)
- Re: exact phrase match Brian (Dec 15)
  - Re: exact phrase match Paul Schmehl (Dec 15)
    - Re: exact phrase match Brian (Dec 16)
- Re: exact phrase match Sean Lazar (Dec 15)
  - Re: exact phrase match Divyang Desai (Dec 15)
    - Re: exact phrase match Nerijus Krukauskas (Dec 15)
- <Possible follow-ups>
- Re: exact phrase match adam_peterson (Dec 16)
- Re: exact phrase match Dan (Dec 18)
- RE: exact phrase match Schmehl, Paul L (Dec 18)