[Snort-users] write PCRE rule

Lay, James james.lay at ...15009...
Tue Sep 18 15:07:41 EDT 2012


Thân,

 

Is there a reason this must be a PCRE?  Any reason:

 

content:"YOU ARE IN MINE"; content:"TERMINATED"; within: 12

 

wouldn't work for you?

 

James 

 

From: minhtamnw [mailto:minhtamnw at ...11827...] 
Sent: Tuesday, September 18, 2012 5:23 AM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] write PCRE rule

 

Please help me how to write a pcre to detect like this in snort

 

xxxxYOU ARE IN MINExxTERMINATED

 

x is any byte : 

 

Thanks all,


 

-- 

Thân,

Quan Minh Tâm

Mobile: 01284211290
minhtamnw at ...11827...

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120918/835c3904/attachment.html>


More information about the Snort-users mailing list