[Snort-sigs] how can we alert on web visiting activity?

evilghost at ...3397... evilghost at ...3397...
Thu Nov 19 15:30:47 EST 2009


NP Joel, the flowbits was a gift.  I think our thread about rawbytes was 
here, 
http://lists.emergingthreats.net/pipermail/emerging-sigs/2009-September/003682.html

Flowbits one was here, 
http://lists.emergingthreats.net/pipermail/emerging-sigs/2009-September/003786.html 
and a few exchanges there.

I'll tap out of this thread now since it's getting off-topic.  I replied 
only to substantiate my assertion about rawbytes after Nigel rebuked me.

-evilghost

Joel Esler wrote:
> Well, I don't know anything about the flowbits problem you are talking
> about.
>
> But I did ask an email'ed questions to devel about the functionality of
> rawbytes since there may be some misunderstanding.
>
> But I wasn't provided any pcaps or anything of problems...
>
> J
>
> On Thu, Nov 19, 2009 at 2:25 PM, evilghost at ...3397... <
> evilghost at ...3397...> wrote:
>
>   
>> It was effectively communicated to Joel Esler who forwarded it to SF
>> development.  Flowbits are borked too by the way.
>>
>> Nigel Houghton wrote:
>>     
>>> On Thu, Nov 19, 2009 at 2:01 PM, evilghost at ...3397...
>>> <evilghost at ...3397...> wrote:
>>>
>>>       
>>>> What version of Snort are you using?  I have had issues with content
>>>> matching working correctly in the 2.8 branch (as have others at Emerging
>>>> Threats), I was able to get content matching to work as expected by
>>>> using the rawbytes option.  See section 3.5.3 in the Snort manual.
>>>>
>>>> content:"ebay"; nocase; rawbytes;
>>>>
>>>> -evilghost
>>>>
>>>>         
>>> If you have evidence to support your claim, we would like to see it. A
>>> bug report would be good, until then, please refrain from giving
>>> "advice" like this. Your recommendation is detrimental to performance.
>>>
>>>
>>>       
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>     
>
>
>
>   




More information about the Snort-sigs mailing list