[Snort-sigs] how can we alert on web visiting activity?
nhoughton at ...435...
Thu Nov 19 14:20:52 EST 2009
On Thu, Nov 19, 2009 at 2:01 PM, evilghost at ...3397...
<evilghost at ...3397...> wrote:
> What version of Snort are you using? I have had issues with content
> matching working correctly in the 2.8 branch (as have others at Emerging
> Threats), I was able to get content matching to work as expected by
> using the rawbytes option. See section 3.5.3 in the Snort manual.
> content:"ebay"; nocase; rawbytes;
If you have evidence to support your claim, we would like to see it. A
bug report would be good, until then, please refrain from giving
"advice" like this. Your recommendation is detrimental to performance.
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
More information about the Snort-sigs