[Snort-sigs] Suggestion to cut down on FP for generic overflow rules

Brian bmc at ...95...
Thu May 13 06:24:04 EDT 2004


On Thu, May 13, 2004 at 05:25:00PM +1200, Russell Fulton wrote:
> I was wondering if it would be worth parameterising these rules with a
> $FTP_PATH_LEN and an IMAP_FOLDER_LEN which gets set along with all the
> other configurable stuff in snort.conf?

Nope, because it is specific to specific implementations of IMAP.

I'd rather not use variables inside the rule body, as you will not be
able to track the history of a rule appropriately if the detection
capabilities are tied to something outside of the rule.

Brian




More information about the Snort-sigs mailing list