[Snort-sigs] Getting an exact match on content
bmc at ...95...
Fri Nov 30 05:58:08 EST 2001
According to Graham, Robert:
> Is it possible to get an exact match of a word in the content section of a
> rule? I would like to implement resp which I finally got working (maybe a
> little to well) to block porn sites. One of the rules I am using is:
> alert tcp $EXTENAL_NET -> $HOME_NET any (content:"Anal"; nocase; msg:
> "Adults List Access Attempt"; flags:A+; classtype:kickass-porn;
> This seems to block the appropriate sites, however it also seems to block
> sites that have analyzer (as an example) in the content.
content:"anal "; nocase;
Win-NT: if it hasn't crashed yet, just wait a minute.
More information about the Snort-sigs