[Snort-sigs] nocase

Brian bmc at ...95...
Fri Jun 27 15:54:05 EDT 2003


On Wed, Jun 25, 2003 at 01:36:58PM +0200, Martin Olsson wrote:
> Take the sid 1062 as an example. It triggers on the content "nc.exe". In
> my case it often triggers on "sync.exe", which I whish to disable.

What you had:
> content:"nc.exe"; nocase; classtype:...

What you tried:
> content:"nc.exe"; !content:"sync.exe"; nocase; classtype:...
<snip>
> content:"nc.exe"; nocase; !content:"sync.exe"; nocase; classtype:...

Those won't work.

Try this:

content:"nc.exe"; nocase; content:!"sync.exe"; nocase;

Really, you want to do some negative distance to be exact.

content:"nc.exe"; nocase; content:!"sync.exe"; distance:-8; within:8;

-brian




More information about the Snort-sigs mailing list