[Snort-sigs] how can we alert on web visiting activity?

Nigel Houghton nhoughton at ...435...
Thu Nov 19 14:20:52 EST 2009

On Thu, Nov 19, 2009 at 2:01 PM, evilghost at ...3397...
<evilghost at ...3397...> wrote:
> What version of Snort are you using?  I have had issues with content
> matching working correctly in the 2.8 branch (as have others at Emerging
> Threats), I was able to get content matching to work as expected by
> using the rawbytes option.  See section 3.5.3 in the Snort manual.
> content:"ebay"; nocase; rawbytes;
> -evilghost

If you have evidence to support your claim, we would like to see it. A
bug report would be good, until then, please refrain from giving
"advice" like this. Your recommendation is detrimental to performance.

Nigel Houghton
Head Mentalist
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

More information about the Snort-sigs mailing list