[Snort-users] wildcards in rules?

Matt Kettler mkettler at ...4108...
Wed May 26 13:50:15 EDT 2004


At 02:07 PM 5/26/2004, Sheahan, Paul wrote:
>I'm looking to use Snort to find a string of numbers that begin with a 
>known group of numbers, but end with unknown numbers.
>
>Example:
>
>I want Snort to alert if it sees a number like 8976**** in a packet where 
>**** can be any numbers. Can this be done with Snort? I couldn't find much 
>on wildcards but did read in a few places that Snort has limited wildcard 
>support.

Using pcre, yes.

The regex would look like:
         8976\d{4}

\d means "any numeric digit" and {4} means "repeat 4 times" in regex notation. 





More information about the Snort-users mailing list