[Snort-sigs] Getting an exact match on content

g.coochey at ...138... g.coochey at ...138...
Fri Nov 30 06:49:06 EST 2001


> En réponse à Brian <bmc at ...95...>:
> 
> > Instead of:
> >    content:"anal"; nocase;
> > Use:
> >    content:"anal "; nocase;
> 
> Maybe dump questions: 
> - would this match the word "banal " ?

Instead of:
    content:"anal "; nocase;
Use
    content:" anal "; nocase;

To be honest though, this looks like a bad rule. The word " anal " is going to throw up too many false positives, and with REST you'll get a lot of angry users.

Try:

content:" anal ";nocase;content:" sex ";nocase






More information about the Snort-sigs mailing list