[Snort-users] exact phrase match
mkettler at ...4108...
Mon Dec 15 16:58:02 EST 2003
At 03:39 PM 12/15/2003, Dan wrote:
>OK...let's try this again. When I tell snort to look for "nc.exe" in the
>payload, I only want it to return alarms with an exact match of "nc.exe".
>However, it triggers alarms even when nc.exe is part of another word, such as:
Well "nc.exe" *IS* and exact match for "sync.exe"... The thing you need to
determine is, what kind of delimiter bytes surround it? spaces? nulls? etc..
"phrase matching" is something natural to text, but network protocols
aren't much like text.. you can't say "look for this exact word" because
what defines a word in a binary packet dump?
Perhaps if you're doing webserver rules you want to look for "/nc.exe" instead?
More information about the Snort-users