[Snort-devel] Mis-Matching traffic with PCRE Rules

waseem sarwar waseemsarwar103 at ...445...
Fri Mar 8 05:43:13 EST 2013


Hi,
I have a pcre based rule as follow in my rules file,
alert udp any any -> any 53 (msg:"MALWARE domain capodeicapi.eu"; pcre:"m/capodeicapi.eu/i"; classtype:trojan-activity; sid:5000968;)
The issue I am facing is that this rule also matches for the domain http://capo.eu which it should not match. I am also facing similar problem with more pcre rules such that they match sub string based url of actual rules . I am using snort version 2.9.1.
Kindly let me know if I have any problem with snort syntax or pcre usage and how to resolve it. Your help will be highly appreciated. Thanks in anticipation. 
Regards,Waseem 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130308/3330b454/attachment.html>


More information about the Snort-devel mailing list