Home page logo

snort logo Snort mailing list archives

Re: Anyones doomsday machine running low on IDS analyst tears?
From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 6 Oct 2010 15:57:36 -0500

No dice.. So I guess the take away here is that if you are moving to a
VRT snort.conf or a 2.9.0 ruleset and you are running custom rules I
would pay real close attention to debug-print-fast-pattern output.  We
are going through the poor performers now and making modifications
where appropriate for ET rules, just thought folks might want to know

Forgot to add the bit about the solution.  If you do end up using this
pm with the default options, for rules such as this use the
fast_pattern:<offset>,<length>; options... i.e.

Delf Checkin via HTTP (8)"; flow:established,to_server;
content:"POST"; http_method; content:".php"; http_uri; nocase;
content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)";
http_header; fast_pattern:30,20; content:"name="; http_client_body;
sid:2008268; rev:5;)

Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]