Snort mailing list archives
Re: exact phrase match
From: Brian <bmc () snort org>
Date: Mon, 15 Dec 2003 20:02:20 -0500
On Mon, Dec 15, 2003 at 02:39:50PM -0600, Dan wrote:
OK...let's try this again. When I tell snort to look for "nc.exe" in the payload, I only want it to return alarms with an exact match of "nc.exe". However, it triggers alarms even when nc.exe is part of another word, such as: "sync.exe" "runc.exe"
Try... pcre. :) content:"nc.exe"; pcre:"/\wnc.exe\w/"; Brian ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- exact phrase match Dan (Dec 15)
- Message not available
- Re: exact phrase match Matt Kettler (Dec 15)
- Message not available
- Re: exact phrase match Brian (Dec 15)
- Re: exact phrase match Paul Schmehl (Dec 15)
- Re: exact phrase match Brian (Dec 16)
- Re: exact phrase match Paul Schmehl (Dec 15)
- Re: exact phrase match Sean Lazar (Dec 15)
- Re: exact phrase match Divyang Desai (Dec 15)
- Re: exact phrase match Nerijus Krukauskas (Dec 15)
- Re: exact phrase match Divyang Desai (Dec 15)
- <Possible follow-ups>
- Re: exact phrase match adam_peterson (Dec 16)
- Re: exact phrase match Dan (Dec 18)
- RE: exact phrase match Schmehl, Paul L (Dec 18)