Snort mailing list archives
Snort-1.8.1-beta5 (build 56) available
From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 24 Jul 2001 12:11:55 -0400
Ok, I haven't received any crash reports from anyone on beta4 in 24 hours, so either it's stable or nobody is using it. :) On the off chance that people are, I've just uploaded what will probably be the last checkin before 1.8.1 is released, beta5. Beta 5 has a couple tweaks to the tag code and one big fix that a lot of people might appreciate: regex for wildcards. For example, you can now do this: alert tcp any any -> $HOME_NET any \ (flags: A+; \ content: "|c08f e4ff ffff|/bin/*sh"; regex;\ msg: "buffer overflow!"; sid: 2341239; rev: 1;) Note the "*" wildcard in the content string. You can also use "?" for single character wildcards as well. The "regex" keyword modifes the prior content string, you use it to tell the pattern matcher to consider and wildcard characters that it sees in the content string as regex wildcards. Note that right now you can't mix "nocase" and regex, I'll see if I can change that before 1.8.1 release. Beta5 is available in CVS and at http://www.snort.org/files/snort-1.8.1-beta5.tar.gz -Marty -- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort-1.8.1-beta5 (build 56) available Martin Roesch (Jul 24)