Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: how can we alert on web visiting activity?

From: Nigel Houghton <nhoughton () sourcefire com>
Date: Thu, 19 Nov 2009 14:20:52 -0500
On Thu, Nov 19, 2009 at 2:01 PM, evilghost () packetmail net
<evilghost () packetmail net> wrote:

What version of Snort are you using?  I have had issues with content
matching working correctly in the 2.8 branch (as have others at Emerging
Threats), I was able to get content matching to work as expected by
using the rawbytes option.  See section 3.5.3 in the Snort manual.

content:"ebay"; nocase; rawbytes;

-evilghost


If you have evidence to support your claim, we would like to see it. A
bug report would be good, until then, please refrain from giving
"advice" like this. Your recommendation is detrimental to performance.

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: