[Snort-users] exact phrase match

Matt Kettler mkettler at ...4108...
Mon Dec 15 16:58:02 EST 2003


At 03:39 PM 12/15/2003, Dan wrote:

>OK...let's try this again. When I tell snort to look for "nc.exe" in the 
>payload, I only want it to return alarms with an exact match of "nc.exe". 
>However, it triggers alarms even when nc.exe is part of another word, such as:
>
>"sync.exe"
>"runc.exe"

Well "nc.exe" *IS* and exact match for "sync.exe"... The thing you need to 
determine is, what kind of delimiter bytes surround it? spaces? nulls? etc..

"phrase matching" is something natural to text, but network protocols 
aren't much like text.. you can't say "look for this exact word" because 
what defines a word in a binary packet dump?


Perhaps if you're doing webserver rules you want to look for "/nc.exe" instead?







More information about the Snort-users mailing list