[Snort-sigs] RE: [Snort-users] More sid 1841

Schmehl, Paul L pauls at ...1311...
Sat Feb 22 12:47:03 EST 2003

Is "within" a new option?  I don't see it in the docs page on the

I think what you've proposed makes a great deal of sense and would
probably reduce the FPs significantly.  So how do we proceed to get that

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

-----Original Message-----
From: Matt Kettler [mailto:mkettler at ...189...] 
Sent: Saturday, February 22, 2003 2:36 PM
To: Schmehl, Paul L; Michael Boman
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] RE: [Snort-users] More sid 1841

Since it's about improving a rule which is FP prone, I'll agree this has

turned into a signature-devel related topic more than a users topic.
out of users.

The keyword you want is "within" not "depth".

And no, you can't use regexp's in snort... Snort would be a lot slower
it did.

So what you really want is something like this:
content:"javascript\://"; nocase; content:"\\n"; within:512;

(note I upped the range, due to the possibility of escape-codes making
domain part of this URL longer than 255 bytes, as per my snort-users

More information about the Snort-sigs mailing list