Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: exact phrase match

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 15 Dec 2003 19:59:13 -0500
At 03:39 PM 12/15/2003, Dan wrote:
OK...let's try this again. When I tell snort to look for "nc.exe" in the payload, I only want it to return alarms with an exact match of "nc.exe". However, it triggers alarms even when nc.exe is part of another word, such as: 

"sync.exe"
"runc.exe"
Well "nc.exe" *IS* and exact match for "sync.exe"... The thing you need to determine is, what kind of delimiter bytes surround it? spaces? nulls? etc..
"phrase matching" is something natural to text, but network protocols aren't much like text.. you can't say "look for this exact word" because what defines a word in a binary packet dump? 


Perhaps if you're doing webserver rules you want to look for "/nc.exe" instead?





-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: