[Snort-sigs] [Emerging-Sigs] Errors with the Snort manual

Joel Esler jesler at ...435...
Thu Feb 18 14:52:25 EST 2010


I have to go off of the current version of the manual, as we put out
corrections and additions to the manual with every version of Snort.

I am looking at the version that is currently on Snort.org, the
REGEX in 3.5.6 reads:
"/ABC.{1}DEF/" and the example is (content:"ABC"; content:"DEF";
This is correct.

In 3.5.7 it says "This rule constrains the search of EFG to not go past 10
bytes past the ABC match."

The example is (content:"ABC"; content:"EFG"; within:10;) -- which is

As for there being no "D".  There is nothing mentioned about the letter D.


On Thu, Feb 18, 2010 at 2:37 PM, evilghost at ...3397... <
evilghost at ...3397...> wrote:

> Hello,
> There was a discussion on ET about some errors in the Snort manual.  I
> cannot remember if I reported these or not.  The Snort 2.8.4 manual
> appears to be inaccurate or wrong in a few places, specifically:
> Page #114, section 3.5.6, the REGEX used to explain figure 3.16 is
> incorrect.
> Page #114, section 3.5.7, the "10 bytes past the ABCDE match" verbiage
> is incorrect, there is no "D" in figure 3.17 nor is the explanation of
> figure 3.17 correct.
> I did not check 2.8.5 but I assume these may persist there as well.
> Thanks
> -evilghost
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html

Joel Esler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100218/4e9072b7/attachment.html>

More information about the Snort-sigs mailing list