Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: exact phrase match

From: Brian <bmc () snort org>
Date: Mon, 15 Dec 2003 20:02:20 -0500
On Mon, Dec 15, 2003 at 02:39:50PM -0600, Dan wrote:

OK...let's try this again. When I tell snort to look for "nc.exe" in the payload, I only want it to return alarms 
with an exact match of "nc.exe". However, it triggers alarms even when nc.exe is part of another word, such as:

"sync.exe"
"runc.exe"


Try... pcre.  :)

content:"nc.exe"; pcre:"/\wnc.exe\w/";

Brian


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: