[Snort-sigs] Possible Content Match problem - Was: Re: how can we alert on web visiting activity?

Jason Brvenik jasonb at ...435...
Thu Nov 19 20:31:52 EST 2009


I would be happy to look into both of these further. The odds are that
it is a configuration / environmental issue so please send me your
snort.conf, local.rules with the example rules in them, and a pcap.

On Thu, Nov 19, 2009 at 3:30 PM, evilghost at ...3397...
<evilghost at ...3397...> wrote:
> NP Joel, the flowbits was a gift.  I think our thread about rawbytes was
> here,
> http://lists.emergingthreats.net/pipermail/emerging-sigs/2009-September/003682.html
>
> Flowbits one was here,
> http://lists.emergingthreats.net/pipermail/emerging-sigs/2009-September/003786.html
> and a few exchanges there.
>
> I'll tap out of this thread now since it's getting off-topic.  I replied
> only to substantiate my assertion about rawbytes after Nigel rebuked me.
>
> -evilghost
>
> Joel Esler wrote:
>> Well, I don't know anything about the flowbits problem you are talking
>> about.
>>
>> But I did ask an email'ed questions to devel about the functionality of
>> rawbytes since there may be some misunderstanding.
>>
>> But I wasn't provided any pcaps or anything of problems...
>>
>> J




More information about the Snort-sigs mailing list