Re: exact phrase match

[Dan <sophie_bo () earthlink net>]

Greetings,

The original snort rule:


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC nc.exe attempt"; flow:to_server,established; 
content:"nc.exe"; nocase; classtype:web-application-activity; sid:1062; rev:5;) 

Summary: netcat execution attempt

Goal: Have Snort only alert on the exact phrase match of "nc.exe"

Currently: Currently, Snort is alerting when nc.exe is part of another word...examples:

"sync.exe"
"cspsync.exe"


Could you please tell me what the pcre:"/\bnc.exe\b/"; parameter does? Does this tell Snort to only alert on an exact 
phrase match?

Thanks,

Dan



Oops, typo on my part.  No, it should be...

    content:"nc.exe"; pcre:"/\bnc.exe\b/";

Brian


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users