[Snort-devel] Mis-Matching traffic with PCRE Rules
waseemsarwar103 at ...445...
Fri Mar 8 05:43:13 EST 2013
I have a pcre based rule as follow in my rules file,
alert udp any any -> any 53 (msg:"MALWARE domain capodeicapi.eu"; pcre:"m/capodeicapi.eu/i"; classtype:trojan-activity; sid:5000968;)
The issue I am facing is that this rule also matches for the domain http://capo.eu which it should not match. I am also facing similar problem with more pcre rules such that they match sub string based url of actual rules . I am using snort version 2.9.1.
Kindly let me know if I have any problem with snort syntax or pcre usage and how to resolve it. Your help will be highly appreciated. Thanks in anticipation.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel