[Intrusions] Assessing Your Malware Exposure with Snort
James Riden
j.riden at massey.ac.nz
Fri Mar 11 22:07:57 GMT 2005
Brian <bmc at snort.org> writes:
> On Thu, Mar 10, 2005 at 03:39:10PM -0600, Cory.Bys at fbol.com wrote:
>> <snip>
>> My tweaked "for speed" meat of the rule version is:
>>
>> flow:established,to_server; content:"whenyousearch.com"; nocase;
>> pcre:"/^Host\x3a\s*[a-z0-0\.-]+\.whenyousearch.com/smi";
>> </snip>
>
> note, I see one error in my ways...
>
> flow:established,to_server; content:"whenyousearch.com"; nocase;
> pcre:"/^Host\x3a\s*[a-z\d\.-]+\.whenyousearch.com$/smi";
>
> \w+ would be be faster, but _ isn't valid in hostnames IIRC.
It's not valid per the RFC, but I have seen it used now and then.
--
James Riden / j.riden at massey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/
More information about the Intrusions
mailing list