[Snort-sigs] Request for additions/corrections - Summary
bmc at ...8...
Wed Oct 25 14:58:30 EDT 2000
Jim Forster wrote:
> If I remember correctly, someone had updated the MPEG AUDIO rules down to
> just a few, but I can't find the mail now..... Anyone have a copy of it?
That would have been me.
alert tcp any 1024: -> any 1024: (msg: "MPEG Audio"; content:"|FF FA|";depth:
alert tcp any 1024: -> any 1024: (msg: "MPEG Audio"; content:"|FF FB|";depth:
If you look at the sigs listed in the beta ruleset, they are matching almost
FF FA ** to FF FB **. It would make sense to me to cut the aditional stuff
off. The increase in
speed will greatly outweigh the false positives.
The MITRE Corporation
More information about the Snort-sigs