spaces causing problems in content filters in win32 port of snort (resend)

["Tom H" <tom () scriptsupport co uk>]

Hi,

when a content filter contains a space ' ' or a '.' character, snort does not seem to be matching the text correctly. 
ie 
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"P O R N free ZZZ"; content:"FREE ZZZ"; nocase; 
flow:to_client; classtype:kickass-p o r n; sid:1310; rev:5;)
never matches my test page with "FREE ZZZ" that I have created, 
at the moment it will match single words like 'freezzz', but will not match 'free zzz' or words seperated by dots 
'alt.binarires.whatever', commenting out the dots '\.' seems to work for dots, but not for spaces. and this also has 
the pain of breaking a lot of the rules supplies along with snort.

any ideas on whether I can fix this without changing lots of rules.

Cheers

Tom H



-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users