[Snort-sigs] RE: [Snort-users] More sid 1841

Schmehl, Paul L pauls at ...1311...
Sat Feb 22 12:47:03 EST 2003


Is "within" a new option?  I don't see it in the docs page on the
website.

I think what you've proposed makes a great deal of sense and would
probably reduce the FPs significantly.  So how do we proceed to get that
implemented?

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/



-----Original Message-----
From: Matt Kettler [mailto:mkettler at ...189...] 
Sent: Saturday, February 22, 2003 2:36 PM
To: Schmehl, Paul L; Michael Boman
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] RE: [Snort-users] More sid 1841


Since it's about improving a rule which is FP prone, I'll agree this has

turned into a signature-devel related topic more than a users topic.
Moving 
out of users.

The keyword you want is "within" not "depth".

And no, you can't use regexp's in snort... Snort would be a lot slower
if 
it did.

So what you really want is something like this:
content:"javascript\://"; nocase; content:"\\n"; within:512;

(note I upped the range, due to the possibility of escape-codes making
the 
domain part of this URL longer than 255 bytes, as per my snort-users
post).




More information about the Snort-sigs mailing list