Snort mailing list archives

Re: exact phrase match

From: Brian <bmc () snort org>
Date: Tue, 16 Dec 2003 08:18:09 -0500

On Mon, Dec 15, 2003 at 11:56:34PM -0600, Paul Schmehl wrote:

--On Monday, December 15, 2003 20:02:20 -0500 Brian <bmc () snort org> wrote:


Try... pcre.  :)

content:"nc.exe"; pcre:"/\wnc.exe\w/";

Brian, you're the man, but shouldn't that be:
content:'nc.exe'; pcre:'/\Wnc.exe\W/';


Oops, typo on my part.  No, it should be...

    content:"nc.exe"; pcre:"/\bnc.exe\b/";

Brian


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

exact phrase match Dan (Dec 15)
- Message not available
  - Re: exact phrase match Matt Kettler (Dec 15)
- Re: exact phrase match Brian (Dec 15)
  - Re: exact phrase match Paul Schmehl (Dec 15)
    - Re: exact phrase match Brian (Dec 16)
- Re: exact phrase match Sean Lazar (Dec 15)
  - Re: exact phrase match Divyang Desai (Dec 15)
    - Re: exact phrase match Nerijus Krukauskas (Dec 15)
- <Possible follow-ups>
- Re: exact phrase match adam_peterson (Dec 16)
- Re: exact phrase match Dan (Dec 18)
- RE: exact phrase match Schmehl, Paul L (Dec 18)