[Snort-users] spaces causing problems in content filters in win32 port of snort (resend)

Tom H tom at ...9643...
Mon Jul 14 14:47:02 EDT 2003


Hi,

when a content filter contains a space ' ' or a '.' character, snort does not seem to be matching the text correctly. ie 
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"P O R N free ZZZ"; content:"FREE ZZZ"; nocase; flow:to_client; classtype:kickass-p o r n; sid:1310; rev:5;)
never matches my test page with "FREE ZZZ" that I have created, 
at the moment it will match single words like 'freezzz', but will not match 'free zzz' or words seperated by dots 'alt.binarires.whatever', commenting out the dots '\.' seems to work for dots, but not for spaces. and this also has the pain of breaking a lot of the rules supplies along with snort.

any ideas on whether I can fix this without changing lots of rules.

Cheers

Tom H





More information about the Snort-users mailing list