[Snort-sigs] OpenSSH

Matt Kettler mkettler at ...189...
Thu Aug 15 07:58:02 EDT 2002


I know it's not cpu intensive, on most CPU's comparison for equality, 
greater or less than are of equal instruction cycle count. (I'm a device 
driver and application programmer by trade, not a sysadmin) I merely was 
pointing out that the snort rule processing chain is not setup to do such 
things so such analysis could not be done in a snort rule, and would not 
work with the string matching algorithms used by snort for content parts.

as for plugin vs preprocessor, minor difference in terminology... I merely 
meant any "add on" feature to snort. But you are correct, there's no need 
for it to use the spp_* interface, sp_* would suffice and probably be 
better. Of course, the encryption part makes the whole point moot.

At 10:20 PM 8/14/2002 +0000, Dragos Ruiu wrote:
>Well not strictly true. It's very easy to look at a particular field in a
>packet and see if a value exceeds a certain integer. Not even cpu intesive.
>It would be simply a plug-in not a pre-processor.





More information about the Snort-sigs mailing list