[Snort-sigs] Help on getting rules to trigger alerts

Brian bmc at ...95...
Wed Feb 4 08:19:04 EST 2004


On Wed, Feb 04, 2004 at 07:45:03AM -0600, keith Loyd wrote:
> alert tcp any any -> any any (msg:"Social Security Number Clear Test";flow:stateless; pcre:"m!^(\d\d\d[-/]\d\d[-/]\d\d\d\d)\Z!";)

Your RE doesn't do what you think it does.  pcretest is your friend.

   re> !^(\d\d\d[-/]\d\d[-/]\d\d\d\d)\Z!
 data> My social security number is 234-45-9999
  No match
 data> 

    re> !(\d\d\d[-/]\d\d[-/]\d\d\d\d)\Z!
  data> My social security number is 234-45-9999
   0: 234-45-9999
   1: 234-45-9999
  data> 

Brian




More information about the Snort-sigs mailing list