Snort mailing list archives
Re: exact phrase match
From: "Sean Lazar" <slazar () cruzio com>
Date: Mon, 15 Dec 2003 18:59:18 -0800
In a typical packet, is there whitespace or some other character before "nc.exe" that you could include? Don't forget that you can type "nc" at a terminal prompt and get the same results. Sean ----- Original Message ----- From: "Dan" <sophie_bo () earthlink net> To: <snort-users () lists sourceforge net> Sent: Monday, December 15, 2003 12:39 PM Subject: [Snort-users] exact phrase match
OK...let's try this again. When I tell snort to look for "nc.exe" in the
payload, I only want it to return alarms with an exact match of "nc.exe". However, it triggers alarms even when nc.exe is part of another word, such as:
"sync.exe" "runc.exe" I dont care if users are running sync.exe or runc.exe on the network. I am
trying to catch people using netcat, thus the "nc.exe" search. How do I tell snort to only trigger an alarm on an exact phrase match? Because if I cannot do that, I am forced to look through thousands of alarm payloads that are false positives. Clearly a huge waste of time.
Thanks, Dan ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- exact phrase match Dan (Dec 15)
- Message not available
- Re: exact phrase match Matt Kettler (Dec 15)
- Message not available
- Re: exact phrase match Brian (Dec 15)
- Re: exact phrase match Paul Schmehl (Dec 15)
- Re: exact phrase match Brian (Dec 16)
- Re: exact phrase match Paul Schmehl (Dec 15)
- Re: exact phrase match Sean Lazar (Dec 15)
- Re: exact phrase match Divyang Desai (Dec 15)
- Re: exact phrase match Nerijus Krukauskas (Dec 15)
- Re: exact phrase match Divyang Desai (Dec 15)
- <Possible follow-ups>
- Re: exact phrase match adam_peterson (Dec 16)
- Re: exact phrase match Dan (Dec 18)
- RE: exact phrase match Schmehl, Paul L (Dec 18)