[Snort-devel] Snort-1.8.1-beta5 (build 56) available

Martin Roesch roesch at ...402...
Tue Jul 24 12:11:55 EDT 2001

Ok, I haven't received any crash reports from anyone on beta4 in 24
hours, so either it's stable or nobody is using it. :)  On the off
chance that people are, I've just uploaded what will probably be the
last checkin before 1.8.1 is released, beta5.

Beta 5 has a couple tweaks to the tag code and one big fix that a lot of
people might appreciate: regex for wildcards.  For example, you can now
do this:

alert tcp any any -> $HOME_NET any \
	(flags: A+; \
	content: "|c08f e4ff ffff|/bin/*sh"; regex;\
	msg: "buffer overflow!"; sid: 2341239; rev: 1;)

Note the "*" wildcard in the content string.  You can also use "?" for
single character wildcards as well.  The "regex" keyword modifes the
prior content string, you use it to tell the pattern matcher to consider
and wildcard characters that it sees in the content string as regex
wildcards.  Note that right now you can't mix "nocase" and regex, I'll
see if I can change that before 1.8.1 release.

Beta5 is available in CVS and at
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org

More information about the Snort-devel mailing list