[Snort-sigs] Any reason for "nocase;" in web-attacks.rules?

Crow, Owen Owen_Crow at ...449...
Fri Apr 19 06:26:10 EDT 2002

Almost all of the rules in the file appear to be targeted at Unix systems,
but every rule has "nocase;".  For example:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-ATTACKS ps command
attempt"; flags:A+; uricontent:"/bin/ps"; nocase;
classtype:web-application-attack; sid:1328; rev:2;)

The only situation where nocase would help would be a Win32 target with
Cygwin installed.  So removing nocase should speed up the comparisons and
eliminate false positives, right?

Owen Crow
Systems Programmer (Unix)
BMC Software, Inc.

More information about the Snort-sigs mailing list