Re: Case sensitive fast pattern matches

[lists () packetmail net]

On 03/05/2014 02:51 PM, waldo kitty wrote:
> you can't set your content match as fast_pattern:only and then use regex to 
> check the case sensitivity?

There are many options for this:

1) content:"neb"; fast_pattern; would match "NEB" in the fast_pattern matcher,
then perform a string-sensitive comparison using the content matching/cursor and
reject as a non-match.

2) content:"neb"; fast_pattern:only; content:"NEB"; would be nearly identical to
#1 but would fire and IMHO is superfluous.

3) content:"neb"; pcre:"/NEB/"; might be considered performance costly unless
the PCRE engine is actually needed.

4) content:"neb"; fast_pattern; content:"neb"; nocase; is pretty much the same
as content:"neb"; fast_pattern:only unless constrained to a buffer but even then
it doesn't make much sense.

Not sure what the original sender is after...

Cheers,
Nathan





------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!