Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort rule for a pattern match?

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 27 Mar 2013 11:08:49 -0400
On Mar 27, 2013, at 10:55 AM, lists () packetmail net wrote:


On 03/27/2013 09:45 AM, Shields, Joseph (NIH/NIEHS) [C] wrote:

How can I write this rule?


Write the PCRE and I'll write the rule.  You have to use byte_test/byte_extract
or PCRE.  Either way, IHMO, Snort isn't the best place to do this level of
complex packet analysis because it'll be a costly rule.


I agree with that, theoretically, if there is no other content match the rule will enter (performance wise) on every 
packet.


------------------------------------------------------------------------------
Own the Future-Intel&reg; Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: