Snort mailing list archives
Re: sdf preprocessor: partial matches/false positives
From: Bram <bram-fabeg () mail wizbit be>
Date: Fri, 02 Aug 2013 08:04:40 +0200
A minor follow up on this: This was also reported (by others) to 'snort-sigs' mailing lists: (I'm not subscribed to this lists so I haven't replied on it) Some that I noticed: * 2013-08-01: [Snort-sigs] sensitive-data email alerts: * 2013-07-25: [Snort-sigs] question :: interest in testing SENF preprocessor for Snort? Best regards, Bram Quoting Hui Cao <hcao () sourcefire com>:
Hi Bram, Thanks for reporting this issue. We will look into it. Best, Hui. On Fri, Jul 19, 2013 at 5:21 PM, Bram <bram-fabeg () mail wizbit be> wrote:Hi, There appears to be an issue with the sdf preprocossor: when the regex partially matches at the end of a data packet then the match count is increased. This then results in false positives...
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- sdf preprocessor: partial matches/false positives Bram (Jul 19)
- Re: sdf preprocessor: partial matches/false positives Hui Cao (Jul 22)
- Re: sdf preprocessor: partial matches/false positives Bram (Aug 01)
- Re: sdf preprocessor: partial matches/false positives Hui Cao (Jul 22)