[Snort-devel] including markup information for detected pattern
bmc at ...835...
Wed Dec 1 05:49:02 EST 2004
On Dec 1, 2004, at 5:56 AM, o.wurster wrote:
> the main goal is to markup the detected pattern in a packet. therefore
> we need to change the snort engine. we analyze tcpdump files, so we
> are not concerned about performance.
This sounds like an easy modification, except there is more to
detection in Snort than simple string matching. What about byte_jump,
byte_test, and pcre? Don't forget about all of the various options
that check IP Headers, TCP Headers, and the often forgotten UDP
More information about the Snort-devel