[Snort-sigs] Dynamic DNS update attempt (new sig)
bmc at ...95...
Wed Nov 1 09:39:27 EST 2006
On Wed, Nov 01, 2006 at 09:48:04AM -0800, Jon Hart wrote:
> > byte_test does not move the relative pointer. You are checking the
> > same 2 bytes 4 times.
> Good to know. The docs say relative is "Use an offset relative to last
> pattern match" -- a bit misleading, but the first example in the docs
> seems to back up what you say.
How is this misleading?
byte_test is not a pattern match.
Only the following are pattern match options:
> > BTW, there are faster ways to do "1 or more", eg "not 0"
> > content:!"|00 00|";
> Is content negation faster than byte_test in general, or just in this
> specific case?
Content is faster than byte_test. You can't always use content, but
when you can, do so.
More information about the Snort-sigs