[Snort-sigs] RE: [Snort-users] More sid 1841
Schmehl, Paul L
pauls at ...1311...
Sat Feb 22 09:01:07 EST 2003
If I understand the rules docs correctly (and there's no guarantee that
I do), the depth parameter is measured from the beginning of the
payload, not from the beginning of a previous content search
So something like this wouldn't work, right?
Can you use regexp wild cards like this?
Or better yet, like this?
And should we take this discussion to the snort-sigs list? (I'm ccing
it just in case we should.)
Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
From: Michael Boman [mailto:michael.boman at ...267...]
Sent: Saturday, February 22, 2003 8:59 AM
To: Matt Kettler
Cc: Schmehl, Paul L; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] More sid 1841
According to RFC 1034 and 1035 the hostname can be a maximum of 255
bytes, so just make sure the '\n' are within 255 bytes from the end of
More information about the Snort-sigs