Snort mailing list archives

Re: Question about content keyword

From: Dan <sophie_bo () earthlink net>
Date: Fri, 26 Mar 2004 21:20:31 -0800 (PST)

Attacks generally all take place at the beginning of the
packet within the first thirty to fifty bytes. This can be
a great place to optimize Snort content searching.

-----Original Message-----
From: Steve Johnson <stevejohnson46 () comcast net>
Sent: Mar 24, 2004 3:31 PM
To: snort-users () lists sourceforge net
Cc: stevejohnson46 () comcast net
Subject: [Snort-users] Question about content keyword

Hi,
Does using the "content" keyword without any attributes like
depth means search for the string in the total assembled
payload or search for the content in the unassembled first 
packet payload ?

If the content is to be searched in the total assembled
payload, for the sake of efficiency is there a recommended
size of the assembled packet to check it in ? 



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Question about content keyword Steve Johnson (Mar 25)
- <Possible follow-ups>
- Re: Question about content keyword Dan (Mar 26)