[Snort-users] Better regex expression ($ of "end of string")

Brian bmc at ...950...
Mon Nov 25 17:33:05 EST 2002


On Fri, Nov 22, 2002 at 03:23:30PM -0500, Vincent Corriveau wrote:
> I want to have a alert when a user request a applet (.cab request)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \
>  ( \
>   msg: "HTTP GET .cab"; \
>   uricontent: ".cab"; nocase; \
>   flags: A+; \
>   classtype: criq; \
>  )

alert $tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \ 
   ( msg:"HTTP GET .cab"; flow:to_server,established; \
   uricontent:".cab"; nocase; content:".cab ";        \
   nocase;)

alert $tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \ 
   ( msg:"HTTP GET .cab"; flow:to_server,established; \
   uricontent:".cab"; nocase; content:".cab|09|";     \
   nocase;)

-brian




More information about the Snort-users mailing list