[Snort-sigs] Dynamic DNS update attempt (new sig)

Brian bmc at ...95...
Wed Nov 1 09:39:27 EST 2006

On Wed, Nov 01, 2006 at 09:48:04AM -0800, Jon Hart wrote:
> > byte_test does not move the relative pointer.  You are checking the
> > same 2 bytes 4 times. 
> Good to know.  The docs say relative is "Use an offset relative to last
> pattern match" -- a bit misleading, but the first example in the docs
> seems to back up what you say.

How is this misleading?

byte_test is not a pattern match.

Only the following are pattern match options:
    - content
    - uricontent
    - pcre

> > BTW, there are faster ways to do "1 or more", eg "not 0"
> > 
> >     content:!"|00 00|";
> Is content negation faster than byte_test in general, or just in this
> specific case?

Content is faster than byte_test.  You can't always use content, but
when you can, do so.


More information about the Snort-sigs mailing list