[Snort-sigs] how can we alert on web visiting activity?

evilghost at ...3397... evilghost at ...3397...
Thu Nov 19 14:25:25 EST 2009


It was effectively communicated to Joel Esler who forwarded it to SF 
development.  Flowbits are borked too by the way.

Nigel Houghton wrote:
> On Thu, Nov 19, 2009 at 2:01 PM, evilghost at ...3397...
> <evilghost at ...3397...> wrote:
>   
>> What version of Snort are you using?  I have had issues with content
>> matching working correctly in the 2.8 branch (as have others at Emerging
>> Threats), I was able to get content matching to work as expected by
>> using the rawbytes option.  See section 3.5.3 in the Snort manual.
>>
>> content:"ebay"; nocase; rawbytes;
>>
>> -evilghost
>>     
>
> If you have evidence to support your claim, we would like to see it. A
> bug report would be good, until then, please refrain from giving
> "advice" like this. Your recommendation is detrimental to performance.
>
>   




More information about the Snort-sigs mailing list