[Snort-devel] Suggestion for unknown keywords

Chris Green cmg at ...402...
Thu Jan 30 05:06:04 EST 2003


Frank Knobbe <fknobbe at ...337...> writes:

> In light of the fact that the Snort Stable rules are outdated in CVS and
> tar ball, and only the current rules are maintained well, I would like
> to suggest the following:
>
> Have Snort IGNORE unknown keywords in the Snort rules.

That's been brought up multiple times internally and externally.
Unfortunately, things that we add to the rules language lately have
been "look for this 4 byte content and then do some math".

If you ignore the last part, it would log every packet of certain
protocosl :)
-- 
Chris Green <cmg at ...402...>
You now have 14 minutes to reach minimum safe distance.





More information about the Snort-devel mailing list