[Snort-users] exact phrase match

Dan sophie_bo at ...741...
Mon Dec 15 16:31:04 EST 2003


OK...let's try this again. When I tell snort to look for "nc.exe" in the payload, I only want it to return alarms with an exact match of "nc.exe". However, it triggers alarms even when nc.exe is part of another word, such as:

"sync.exe"
"runc.exe"

I dont care if users are running sync.exe or runc.exe on the network. I am trying to catch people using netcat, thus the "nc.exe" search. How do I tell snort to only trigger an alarm on an exact phrase match? Because if I cannot do that, I am forced to look through thousands of alarm payloads that are false positives. Clearly a huge waste of time.

Thanks,

Dan




More information about the Snort-users mailing list