[Snort-users] spaces causing problems in content filters in win32 port of snort (resend)

Tom H tom at ...9643...
Mon Jul 14 17:49:30 EDT 2003

> when a content filter contains a space ' ' or a '.' character, 
> snort does not seem to be matching the text correctly. ie 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"P O R 
> N free ZZZ"; content:"FREE ZZZ"; nocase; flow:to_client; 
> classtype:kickass-p o r n; sid:1310; rev:5;)
> never matches my test page with "FREE ZZZ" that I have created, 
> at the moment it will match single words like 'freezzz', but will 
> not match 'free zzz' or words seperated by dots 
> 'alt.binarires.whatever', commenting out the dots '\.' seems to 
> work for dots, but not for spaces. and this also has the pain of 
> breaking a lot of the rules supplies along with snort.

After some investigation it seems that snort detects these fine unless the web page
is returned chunked-encoded - like google for example; but for sites with no encoding
it detects the content string fine.

is there any more documentation on things like this that I missed?

Tom H

More information about the Snort-users mailing list