[Snort-sigs] how can we alert on web visiting activity?

Nigel Houghton nhoughton at ...435...
Thu Nov 19 14:20:52 EST 2009


On Thu, Nov 19, 2009 at 2:01 PM, evilghost at ...3397...
<evilghost at ...3397...> wrote:
> What version of Snort are you using?  I have had issues with content
> matching working correctly in the 2.8 branch (as have others at Emerging
> Threats), I was able to get content matching to work as expected by
> using the rawbytes option.  See section 3.5.3 in the Snort manual.
>
> content:"ebay"; nocase; rawbytes;
>
> -evilghost

If you have evidence to support your claim, we would like to see it. A
bug report would be good, until then, please refrain from giving
"advice" like this. Your recommendation is detrimental to performance.

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-sigs mailing list