[Snort-sigs] RE: [Snort-users] More sid 1841
mkettler at ...189...
Sat Feb 22 12:36:03 EST 2003
Since it's about improving a rule which is FP prone, I'll agree this has
turned into a signature-devel related topic more than a users topic. Moving
out of users.
The keyword you want is "within" not "depth".
And no, you can't use regexp's in snort... Snort would be a lot slower if
So what you really want is something like this:
(note I upped the range, due to the possibility of escape-codes making the
domain part of this URL longer than 255 bytes, as per my snort-users post).
At 11:00 AM 2/22/2003 -0600, Schmehl, Paul L wrote:
>If I understand the rules docs correctly (and there's no guarantee that
>I do), the depth parameter is measured from the beginning of the
>payload, not from the beginning of a previous content search
>So something like this wouldn't work, right?
>Can you use regexp wild cards like this?
More information about the Snort-sigs