Character String Filtering
Each rule filter can include one or more alphanumeric character
strings. Character strings search the rule
Message field,
Snort ID
(SID), and Generator ID (GID). For example, the string
123 returns the strings
"Lotus123", "123mania", and so
on in the rule message, and also returns SID 6123, SID 12375, and so on.
All character strings are case-insensitive and are treated as
partial strings. For example, any of the strings
ADMIN,
admin, or
Admin
return
"admin",
"CFADMIN",
"Administrator" and so on.
You can enclose character strings in quotes to return exact
matches. For example, the literal string
"overflow attempt" in quotes returns only that exact
string, whereas a filter comprised of the two strings
overflow and
attempt without quotes returns
"overflow attempt",
"overflow multipacket attempt",
"overflow with evasion attempt", and so on.