Re: [Emerging-Sigs] what s the real difference here?

[Joel Esler <jesler () sourcefire com>]

On Jul 13, 2010, at 8:16 PM, evilghost () packetmail net wrote:
> > Yes, I do understand.  Like I said, I'd like a Snort team comment on this one, just so we can be clear.  Are you 
> > saying that we should make it clear in the manual?
>
> I'd absolutely love to see a "Caveats" section, even if it were nothing more than an ordered list.  I think it would 
> be invaluable.  A singular line item that says
> 'uricontent:"souls"' and 'content:"souls"; http_uri;' are the same." and "Content modifiers like distance, within, 
> isdataat, and others are not applicable to a content match
> constrained to a specific buffer such as http_uri, http_cookie, or http_header.  The reason for this is due to the 
> pointer set in the content engine/match compared with the pointer
> set in the separate constrained buffer."  That's worth gold since it's idiosyncratic with Snort and rule syntax; not 
> something gleaned from the manual or strict adherence to the
> manual.
>
> Write "Caveats" from the aspect of someone who just picked up the Snort manual and can RTFM but writes rules with 
> strict adherence to the manual itself and doesn't have the benefit
> of years of experience with 'rulecraft'.

Okay, I'll take that in and see what I can do.
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs