[Snort-devel] sdf preprocessor: partial matches/false positives

Bram bram-fabeg at ...3414...
Fri Aug 2 02:04:40 EDT 2013

A minor follow up on this:

This was also reported (by others) to 'snort-sigs' mailing lists: (I'm  
not subscribed to this lists so I haven't replied on it)

Some that I noticed:

* 2013-08-01: [Snort-sigs] sensitive-data email alerts:
* 2013-07-25: [Snort-sigs] question :: interest in testing SENF  
preprocessor for Snort?

Best regards,


Quoting Hui Cao <hcao at ...402...>:

> Hi Bram,
> Thanks for reporting this issue. We will look into it.
> Best,
> Hui.
> On Fri, Jul 19, 2013 at 5:21 PM, Bram <bram-fabeg at ...3414...> wrote:
>> Hi,
>> There appears to be an issue with the sdf preprocossor: when the regex
>> partially matches at the end of a data packet then the match count is
>> increased.
>> This then results in false positives.
> ..

This message was sent using IMP, the Internet Messaging Program.

More information about the Snort-devel mailing list