[Snort-devel] including markup information for detected pattern

Brian caswell bmc at ...835...
Wed Dec 1 05:49:02 EST 2004


On Dec 1, 2004, at 5:56 AM, o.wurster wrote:
> the main goal is to markup the detected pattern in a packet. therefore 
> we need to change the snort engine. we analyze tcpdump files, so we 
> are not concerned about performance.

This sounds like an easy modification, except there is more to 
detection in Snort than simple string matching.  What about byte_jump, 
byte_test, and pcre?  Don't forget about all of the various options 
that check IP Headers, TCP Headers, and the often forgotten UDP 
acknowledgment number.

Brian





More information about the Snort-devel mailing list