[Snort-sigs] Getting an exact match on content

Brian bmc at ...95...
Fri Nov 30 05:58:08 EST 2001


According to Graham, Robert:
> Is it possible to get an exact match of a word in the content section of a
> rule?  I would like to implement resp which I finally got working (maybe a
> little to well) to block porn sites. One of the rules I am using is:
> 
> alert tcp $EXTENAL_NET -> $HOME_NET any (content:"Anal"; nocase; msg:
> "Adults List Access Attempt"; flags:A+; classtype:kickass-porn;
> resp:rst_all;)
> 
> This seems to block the appropriate sites, however it also seems to block
> sites that have analyzer (as an example) in the content.

Instead of:
   content:"anal"; nocase;
Use:
   content:"anal "; nocase;


-- 
Win-NT: if it hasn't crashed yet, just wait a minute.





More information about the Snort-sigs mailing list