[Snort-sigs] Solaris lpd exploit sig
mkettler at ...189...
Fri Jun 28 13:44:02 EDT 2002
I'll certainly acknowledge that you're more of a snort expert, but as far
as I know a search pattern starting with a long repeated sequence is pretty
much the most sub-optimal content rule you can make for the match case,
since it guarantees that on a real match you're going to have to make n
single character shifts, where n is the number of /'s in the pattern. Or is
my understanding of B-M a bit muddled?
You are right that a long pattern helps a lot in the non-match case, and
given that this is a not-very-common attack, the extra /'s probably do more
good than harm in general. Fair enough.
String matching aside I do still think the exclusion of port 515 was
probably an accidental oversight in the original rule, and significant
performance gains would be realized by adding it.
At 03:43 PM 6/28/2002 -0400, Chris Green wrote:
>The longer strings are better than the shorter patterns :-) Don't
>worry much about implementation level details like that when desiging
>patterns. Worry more about making correct patterns when writing
More information about the Snort-sigs