[Snort-users] wildcards in rules?

Matt Kettler mkettler at ...4108...
Wed May 26 13:50:15 EDT 2004

At 02:07 PM 5/26/2004, Sheahan, Paul wrote:
>I'm looking to use Snort to find a string of numbers that begin with a 
>known group of numbers, but end with unknown numbers.
>I want Snort to alert if it sees a number like 8976**** in a packet where 
>**** can be any numbers. Can this be done with Snort? I couldn't find much 
>on wildcards but did read in a few places that Snort has limited wildcard 

Using pcre, yes.

The regex would look like:

\d means "any numeric digit" and {4} means "repeat 4 times" in regex notation. 

