[Snort-sigs] RE: [Snort-users] More sid 1841

Jon warchild at ...288...
Sat Feb 22 13:08:04 EST 2003


On Sat, Feb 22, 2003 at 03:35:43PM -0500, Matt Kettler wrote:

> And no, you can't use regexp's in snort... Snort would be a lot slower if 
> it did.

Actually, Snort does have the ability to use regexps:

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.35

I don't know if this still holds true for 1.9 or 2.0, but the docs say that
regexps shouldn't be used in production environments.

Having full regexp support would be cool (even if it does mean a slower
Snort), but you can usually get pretty close with depth, within, offset,
and the byte_* stuff for 2.0.

-jon  




More information about the Snort-sigs mailing list