[Snort-users] exact phrase match

Sean Lazar slazar at ...9944...
Mon Dec 15 19:00:01 EST 2003

In a typical packet, is there whitespace or some other character before
"nc.exe" that you could include?

Don't forget that you can type "nc" at a terminal prompt and get the same

----- Original Message ----- 
From: "Dan" <sophie_bo at ...741...>
To: <snort-users at lists.sourceforge.net>
Sent: Monday, December 15, 2003 12:39 PM
Subject: [Snort-users] exact phrase match

> OK...let's try this again. When I tell snort to look for "nc.exe" in the
payload, I only want it to return alarms with an exact match of "nc.exe".
However, it triggers alarms even when nc.exe is part of another word, such
> "sync.exe"
> "runc.exe"
> I dont care if users are running sync.exe or runc.exe on the network. I am
trying to catch people using netcat, thus the "nc.exe" search. How do I tell
snort to only trigger an alarm on an exact phrase match? Because if I cannot
do that, I am forced to look through thousands of alarm payloads that are
false positives. Clearly a huge waste of time.
> Thanks,
> Dan
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list