Hosting Provided By

Re: [Snort-sigs] Question about rule semantic

From: Brian <bmc(at)snort.org>
Date: Mon Jun 23 2003 - 11:04:57 EDT

On Tue, Jun 17, 2003 at 11:11:30PM +0200, stephane wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow

It would be faster to define it like this:

match if there is a "CWD", followed by at least 100 bytes of data, without a 0x0a within 100 bytes of CWD.

While this can be done via an abuse of byte_test, a better approach is in the works.

-brian

This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Mon Jun 23 11:49:40 2003

This message: [ Message body ]
Next message: Sam Evans: "[Snort-sigs] Problems with SID 2161"
Previous message: C L Dokic: "[Snort-sigs] new user group"
In reply to stephane: "[Snort-sigs] Question about rule semantic"
Next in thread: stephane: "Re: [Snort-sigs] Question about rule semantic"
Reply: stephane: "Re: [Snort-sigs] Question about rule semantic"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:31 EDT