[Snort-users] PCRE plugin for exact phrase match

Dan sophie_bo at ...741...
Thu Dec 18 19:18:04 EST 2003


Do I need the pcre plugin and the perl plugin, or just the pcre plugin?

http://www.snort.org/dl/contrib/patches/snort-pcre/

http://www.snort.org/dl/contrib/patches/snort-perl/

-----Original Message-----
From: "Schmehl, Paul L" <pauls at ...6838...>
Sent: Dec 18, 2003 3:02 PM
To: 
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] exact phrase match

> -----Original Message-----
> From: Dan [mailto:sophie_bo at ...741...] 
> Sent: Thursday, December 18, 2003 4:39 PM
> To: Brian; Schmehl, Paul L
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] exact phrase match
> 
> Could you please tell me what the pcre:"/\bnc.exe\b/"; 
> parameter does? Does this tell Snort to only alert on an 
> exact phrase match?
>
Pcre is just Perl Compatible Regular Expressions.  The expression
/\bnc.exe\b/ means 
"match the string nc.exe with a word boundary at the beginning and end
of the string".  So nc.exe must be a word that has no preceding or
trailing letters.  That eliminates matching on things such as "sync.exe"
because the beginning word boundary is not nc, by sync.
 
Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list