Snort mailing list archives

Depth limit of binary flow using just pcre (no content option)

From: Frank Calone <fc10011001 () gmail com>
Date: Fri, 19 Jul 2013 14:20:29 -0400

I'd like to test just the first 500 bytes of a session for a pcre pattern.
I've seen port 80 session data with just raw tranfers, no http related
stuff.  It appears the "depth" option must have a content check.  I really
don't have a good content criteria to test for.  My interest is strictly in
just a pattern.  Any ideas on how to limit the testing to just 500 bytes
of any given session?  I have some content only rules that are not alerting
when I added the pcre tests.  I suspect trying to analyze all sessions and
all bytes for a dozen different patterns is a bit much to ask of Snort.

Frank

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Depth limit of binary flow using just pcre (no content option) Frank Calone (Jul 19)
- Re: Depth limit of binary flow using just pcre (no content option) waldo kitty (Jul 19)
  - Re: Depth limit of binary flow using just pcre (no content option) Frank Calone (Jul 19)
- Re: Depth limit of binary flow using just pcre (no content option) Joel Esler (Jul 19)