Snort mailing list archives
spaces causing problems in content filters in win32 port of snort (resend)
From: "Tom H" <tom () scriptsupport co uk>
Date: Mon, 14 Jul 2003 22:44:07 +0100
Hi, when a content filter contains a space ' ' or a '.' character, snort does not seem to be matching the text correctly. ie alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"P O R N free ZZZ"; content:"FREE ZZZ"; nocase; flow:to_client; classtype:kickass-p o r n; sid:1310; rev:5;) never matches my test page with "FREE ZZZ" that I have created, at the moment it will match single words like 'freezzz', but will not match 'free zzz' or words seperated by dots 'alt.binarires.whatever', commenting out the dots '\.' seems to work for dots, but not for spaces. and this also has the pain of breaking a lot of the rules supplies along with snort. any ideas on whether I can fix this without changing lots of rules. Cheers Tom H ------------------------------------------------------- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spaces causing problems in content filters in win32 port of snort (resend) Tom H (Jul 14)