[Snort-users] Snort Rule Advise.

Tony Purdy tpurdy at ...14103...
Fri Apr 13 10:00:33 EDT 2007


Hi,

 

Could someone kindly advise if it is possible to achieve the following
within a rule.

 

I am creating rules to trigger when specific words are seen within the
payload, for example the word 'ADS' as below: 

alert tcp any any -> any any (msg :"SecureADS"; sid:1000011;
content:"ADS"; nocase; rev:1;)

But currently it will trigger if it sees NADS for example which is a
menu option within an SGD environment.

 

Please advise how I can restrict the rule to trigger when only ADS is
seen, this can appear anywhere in the payload.

 

Kind Regards

 

Tony

 

 

Tony Purdy

__________________________

Axial Systems Ltd.

Tectonic Place

Holyport Road

Maidenhead SL6 2YE

* 01628 418 000 
6  01628 418 221 
* tpurdy at ...14103... <BLOCKED::mailto:tpurdy at ...14103...>  
www.axial.co.uk <BLOCKED::blocked::http://www.axial.co.uk/>  

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070413/3e37f139/attachment.html>


More information about the Snort-users mailing list