[Snort-sigs] Any reason for "nocase;" in web-attacks.rules?
Owen_Crow at ...449...
Fri Apr 19 06:26:10 EDT 2002
Almost all of the rules in the file appear to be targeted at Unix systems,
but every rule has "nocase;". For example:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-ATTACKS ps command
attempt"; flags:A+; uricontent:"/bin/ps"; nocase;
classtype:web-application-attack; sid:1328; rev:2;)
The only situation where nocase would help would be a Win32 target with
Cygwin installed. So removing nocase should speed up the comparisons and
eliminate false positives, right?
Systems Programmer (Unix)
BMC Software, Inc.
More information about the Snort-sigs