[Snort-sigs] [Emerging-Sigs] what s the real difference here?

Joel Esler jesler at ...435...
Tue Jul 13 20:20:12 EDT 2010

On Jul 13, 2010, at 8:16 PM, evilghost at ...3397... wrote:
>> Yes, I do understand.  Like I said, I'd like a Snort team comment on this one, just so we can be clear.  Are you saying that we should make it clear in the manual?
> I'd absolutely love to see a "Caveats" section, even if it were nothing more than an ordered list.  I think it would be invaluable.  A singular line item that says
> 'uricontent:"souls"' and 'content:"souls"; http_uri;' are the same." and "Content modifiers like distance, within, isdataat, and others are not applicable to a content match
> constrained to a specific buffer such as http_uri, http_cookie, or http_header.  The reason for this is due to the pointer set in the content engine/match compared with the pointer
> set in the separate constrained buffer."  That's worth gold since it's idiosyncratic with Snort and rule syntax; not something gleaned from the manual or strict adherence to the
> manual.
> Write "Caveats" from the aspect of someone who just picked up the Snort manual and can RTFM but writes rules with strict adherence to the manual itself and doesn't have the benefit
> of years of experience with 'rulecraft'.

Okay, I'll take that in and see what I can do.

