[Snort-sigs] More poorly performing GID 3 rules....

Patrick Mullen pmullen at ...435...
Wed Feb 3 13:07:06 EST 2010

Actually, both of those rules are open source if you want to look at
their source code.


Not all SO rules are closed source.  Many SO rules are C code because
they do much more than the standard rules library allows; despite
popular opinion, rules aren't compiled only to obfuscate the
detection.  :)

Hope this helps,


On Wed, Feb 3, 2010 at 12:49 PM, Guise McAllaster
<guise.mcallaster at ...2420...> wrote:
> More poorly performing GID 3 rules that I cannot understand without
> reversing because they are compiled and the source is not released.
> 7019 - P2P WinNY connection attempt
> 8351 - BAD-TRAFFIC PGM nak list overflow attempt
> Srsly, is there any good reason these are protected by closed source?
> Maybe I can understand 8351 if it is part of your deal with MS but
> WinNY???  And don't get me started on the SMB hogs....
> Guise
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list