[Snort-users] plain text in content option triggering false alerts

Dan sophie_bo at ...741...
Sat Dec 13 08:43:01 EST 2003


Hi,

I have a question about whether or not I can tune plain text content for greater granularity and fewer false alerts. For example, when searching for netcat usage on the network, I use the following snort rule:

WEB-MISC nc.exe attempt

Desc: This event is generated when an attempt is made to execute Netcat via a web session.

Signature:	alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC nc.exe attempt"; flow:to_server,established; content:"nc.exe"; nocase; classtype:web-application-activity; sid:1062; rev:5;)

Problem: Instead of triggering only on “nc.exe”, alerts are being generated any time “nc.exe” is part of a word. Sample payload output from three different alerts:
	
<WMIValue>rcsync.exe</WMIValue
<WMIValue>WinVNC.exe</WMIVal
<WMIValue>Sync.exe

I only want the alert triggered when "nc.exe" is found, not when it is found as part of another word. This applies to alot of other rules that use plain text content for triggering alerts. Any time the plain text is searched it will trigger an alert even if the plain text is inside another word. Another example is the chat IRC NICK change rule, the content option "nick" is triggered by:

"Nick Jones"
"nickle"
"Dominick"

How do I tell it to search for only "nick" or only "nc.exe", and not trigger when its part of another word?

Thanks,

Dan





More information about the Snort-users mailing list