[Snort-sigs] Getting an exact match on content

Graham, Robert rgraham at ...208...
Fri Nov 30 05:34:03 EST 2001


Is it possible to get an exact match of a word in the content section of a
rule?  I would like to implement resp which I finally got working (maybe a
little to well) to block porn sites. One of the rules I am using is:

alert tcp $EXTENAL_NET -> $HOME_NET any (content:"Anal"; nocase; msg:
"Adults List Access Attempt"; flags:A+; classtype:kickass-porn;
resp:rst_all;)

This seems to block the appropriate sites, however it also seems to block
sites that have analyzer (as an example) in the content.

Any help would be appreciated

Robert Graham
rgraham at ...208...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20011130/872eced3/attachment.html>


More information about the Snort-sigs mailing list