[Snort-devel] sdf preprocessor: partial matches/false positives

Bram bram-fabeg at ...3414...
Fri Aug 2 02:04:40 EDT 2013


A minor follow up on this:

This was also reported (by others) to 'snort-sigs' mailing lists: (I'm  
not subscribed to this lists so I haven't replied on it)

Some that I noticed:

* 2013-08-01: [Snort-sigs] sensitive-data email alerts:
* 2013-07-25: [Snort-sigs] question :: interest in testing SENF  
preprocessor for Snort?


Best regards,

Bram

Quoting Hui Cao <hcao at ...402...>:

> Hi Bram,
>
> Thanks for reporting this issue. We will look into it.
>
> Best,
> Hui.
>
> On Fri, Jul 19, 2013 at 5:21 PM, Bram <bram-fabeg at ...3414...> wrote:
>> Hi,
>>
>>
>> There appears to be an issue with the sdf preprocossor: when the regex
>> partially matches at the end of a data packet then the match count is
>> increased.
>> This then results in false positives.
> ..
>
>
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.





More information about the Snort-devel mailing list