Hosting Provided By

Re: [Snort-sigs] RE: [Snort-users] More sid 1841

From: Matt Kettler <mkettler(at)evi-inc.com>
Date: Sat Feb 22 2003 - 15:35:43 EST

Since it's about improving a rule which is FP prone, I'll agree this has turned into a signature-devel related topic more than a users topic. Moving out of users.

The keyword you want is "within" not "depth".

And no, you can't use regexp's in snort... Snort would be a lot slower if it did.

So what you really want is something like this: content:"javascript\://"; nocase; content:"\\n"; within:512;

(note I upped the range, due to the possibility of escape-codes making the domain part of this URL longer than 255 bytes, as per my snort-users post).

At 11:00 AM 2/22/2003 -0600, Schmehl, Paul L wrote:
>If I understand the rules docs correctly (and there's no guarantee that

This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Sat Feb 22 16:11:26 2003

This message: [ Message body ]
Next message: Schmehl, Paul L: "RE: [Snort-sigs] RE: [Snort-users] More sid 1841"
In reply to Schmehl, Paul L: "[Snort-sigs] RE: [Snort-users] More sid 1841"
Next in thread: Jon: "Re: [Snort-sigs] RE: [Snort-users] More sid 1841"
Reply: Jon: "Re: [Snort-sigs] RE: [Snort-users] More sid 1841"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:24 EDT