[Snort-users] Snort Rule Advise.

Tony Purdy tpurdy at ...14103...
Fri Apr 13 10:00:33 EDT 2007



Could someone kindly advise if it is possible to achieve the following
within a rule.


I am creating rules to trigger when specific words are seen within the
payload, for example the word 'ADS' as below: 

alert tcp any any -> any any (msg :"SecureADS"; sid:1000011;
content:"ADS"; nocase; rev:1;)

But currently it will trigger if it sees NADS for example which is a
menu option within an SGD environment.


Please advise how I can restrict the rule to trigger when only ADS is
seen, this can appear anywhere in the payload.


Kind Regards





Tony Purdy


Axial Systems Ltd.

Tectonic Place

Holyport Road

Maidenhead SL6 2YE

* 01628 418 000 
6  01628 418 221 
* tpurdy at ...14103... <BLOCKED::mailto:tpurdy at ...14103...>  
www.axial.co.uk <BLOCKED::blocked::http://www.axial.co.uk/>  



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070413/3e37f139/attachment.html>

More information about the Snort-users mailing list