[Snort-sigs] nocase

Martin Olsson elof at ...1288...
Wed Jun 25 04:39:01 EDT 2003


I've tried to understand the manual for "nocase" but fail.

Take the sid 1062 as an example. It triggers on the content "nc.exe". In
my case it often triggers on "sync.exe", which I whish to disable.

Original:
msg:"WEB-MISC nc.exe attempt"; flow:to_server,established;
content:"nc.exe"; nocase; classtype:...

Modified 1:
msg:"WEB-MISC nc.exe attempt"; flow:to_server,established;
content:"nc.exe"; !content:"sync.exe"; nocase; classtype:...

Modified 2:
msg:"WEB-MISC nc.exe attempt"; flow:to_server,established;
content:"nc.exe"; nocase; !content:"sync.exe"; nocase; classtype:...


Question:
Do the nocase option affect all the contents in the rule or do I have to
add a nocase option after every content tag?

/Martin





More information about the Snort-sigs mailing list