RE: [Snort-sigs] RE: [Snort-users] More sid 1841

From: Schmehl, Paul L <pauls(at)utdallas.edu>
Date: Sat Feb 22 2003 - 15:46:05 EST

Is "within" a new option? I don't see it in the docs page on the website.

I think what you've proposed makes a great deal of sense and would probably reduce the FPs significantly. So how do we proceed to get that implemented?

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

-----Original Message-----
From: Matt Kettler [mailto:mkettler@evi-inc.com] Sent: Saturday, February 22, 2003 2:36 PM To: Schmehl, Paul L; Michael Boman
Cc: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] RE: [Snort-users] More sid 1841

Since it's about improving a rule which is FP prone, I'll agree this has

turned into a signature-devel related topic more than a users topic. Moving
out of users.

The keyword you want is "within" not "depth".

And no, you can't use regexp's in snort... Snort would be a lot slower if
it did.

So what you really want is something like this: content:"javascript\://"; nocase; content:"\\n"; within:512;

(note I upped the range, due to the possibility of escape-codes making the
domain part of this URL longer than 255 bytes, as per my snort-users post).

---

This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Sat Feb 22 16:24:19 2003