Snort mailing list archives

Previous By Date Next
Previous By Thread Next

PCRE plugin for exact phrase match

From: Dan <sophie_bo () earthlink net>
Date: Thu, 18 Dec 2003 19:17:55 -0800 (PST)
Do I need the pcre plugin and the perl plugin, or just the pcre plugin?

http://www.snort.org/dl/contrib/patches/snort-pcre/

http://www.snort.org/dl/contrib/patches/snort-perl/

-----Original Message-----
From: "Schmehl, Paul L" <pauls () utdallas edu>
Sent: Dec 18, 2003 3:02 PM
To: 
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] exact phrase match


-----Original Message-----
From: Dan [mailto:sophie_bo () earthlink net] 
Sent: Thursday, December 18, 2003 4:39 PM
To: Brian; Schmehl, Paul L
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] exact phrase match

Could you please tell me what the pcre:"/\bnc.exe\b/"; 
parameter does? Does this tell Snort to only alert on an 
exact phrase match?


Pcre is just Perl Compatible Regular Expressions.  The expression
/\bnc.exe\b/ means 
"match the string nc.exe with a word boundary at the beginning and end
of the string".  So nc.exe must be a word that has no preceding or
trailing letters.  That eliminates matching on things such as "sync.exe"
because the beginning word boundary is not nc, by sync.
 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: