[Snort-users] exact phrase match

Brian bmc at ...950...
Mon Dec 15 17:03:01 EST 2003


On Mon, Dec 15, 2003 at 02:39:50PM -0600, Dan wrote:
> OK...let's try this again. When I tell snort to look for "nc.exe" in the payload, I only want it to return alarms with an exact match of "nc.exe". However, it triggers alarms even when nc.exe is part of another word, such as:
> 
> "sync.exe"
> "runc.exe"

Try... pcre.  :)

content:"nc.exe"; pcre:"/\wnc.exe\w/";

Brian




More information about the Snort-users mailing list