[Snort-users] exact phrase match

Schmehl, Paul L pauls at ...6838...
Thu Dec 18 15:04:00 EST 2003


> -----Original Message-----
> From: Dan [mailto:sophie_bo at ...741...] 
> Sent: Thursday, December 18, 2003 4:39 PM
> To: Brian; Schmehl, Paul L
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] exact phrase match
> 
> Could you please tell me what the pcre:"/\bnc.exe\b/"; 
> parameter does? Does this tell Snort to only alert on an 
> exact phrase match?
>
Pcre is just Perl Compatible Regular Expressions.  The expression
/\bnc.exe\b/ means 
"match the string nc.exe with a word boundary at the beginning and end
of the string".  So nc.exe must be a word that has no preceding or
trailing letters.  That eliminates matching on things such as "sync.exe"
because the beginning word boundary is not nc, by sync.
 
Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 




More information about the Snort-users mailing list