mkettler at ...189...
Thu Aug 15 07:58:02 EDT 2002
I know it's not cpu intensive, on most CPU's comparison for equality,
greater or less than are of equal instruction cycle count. (I'm a device
driver and application programmer by trade, not a sysadmin) I merely was
pointing out that the snort rule processing chain is not setup to do such
things so such analysis could not be done in a snort rule, and would not
work with the string matching algorithms used by snort for content parts.
as for plugin vs preprocessor, minor difference in terminology... I merely
meant any "add on" feature to snort. But you are correct, there's no need
for it to use the spp_* interface, sp_* would suffice and probably be
better. Of course, the encryption part makes the whole point moot.
At 10:20 PM 8/14/2002 +0000, Dragos Ruiu wrote:
>Well not strictly true. It's very easy to look at a particular field in a
>packet and see if a value exceeds a certain integer. Not even cpu intesive.
>It would be simply a plug-in not a pre-processor.
More information about the Snort-sigs