[Snort-sigs] Request for additions/corrections - Summary

Brian Caswell bmc at ...8...
Wed Oct 25 14:58:30 EDT 2000


Jim Forster wrote:

> If I remember correctly, someone had updated the MPEG AUDIO rules down to
> just a few, but I can't find the mail now..... Anyone have a copy of it?

That would have been me.

alert tcp any 1024: -> any 1024:   (msg: "MPEG Audio"; content:"|FF FA|";depth:
3; )
alert tcp any 1024: -> any 1024:   (msg: "MPEG Audio"; content:"|FF FB|";depth:
3; )

If you look at the sigs listed in the beta ruleset, they are matching  almost
everything from
FF FA ** to  FF FB **.   It would make sense to me to cut the aditional stuff
off.  The increase in
speed will greatly outweigh the false positives.

--
Brian Caswell
The MITRE Corporation





More information about the Snort-sigs mailing list