[Snort-sigs] Quick rule question

Mike Cox mike.cox52 at ...2420...
Fri Oct 19 10:59:52 EDT 2012


Haha, Joel beat me to it while I was typing a response and our responses
are eerily similar and basically the same thing (the snort stuff is exact
which is even more weird since we escaped certain things and used the same
raw specifications in the content matchs).

-Mike Cox
 a.k.a. "Joel Jr."
 L21lIGJlaW5nIGdyb29tZWQgZm9yIEpvZWwncyBqb2IgYnV0IGRvbid0IHRlbGwgaGltIHBsZWFzZQ==
 QW0gSSBhIFNvdXJjZWZpcmUgaW50ZXJuPw==
 T3IgYW0gSSBhbiBhbHRlciBlZ28/ICBJIGhvcGUgeW91IGRpZG4ndCBkZWNvZGUgdGhpcy4uLi4=


On Fri, Oct 19, 2012 at 9:49 AM, Mike Cox <mike.cox52 at ...2420...> wrote:

> content:".htm"; content:"|22|"; distance:0; within:2; pcre:"/\.html?\x22/";
>
> Obviously this is inefficient without other matching criteria .. what and
> and where are you trying to match on exactly?
>
> -Mike Cox
>
>
> On Fri, Oct 19, 2012 at 9:24 AM, James Lay <jlay at ...3266...>wrote:
>
>> Hey all,
>>
>> Quick question...trying to match:
>>
>> .htm"  OR  .html"
>>
>> my content can be htm and that's fine, but I need to make sure to have
>> the end quote at the end.
>>
>> Thanks all.
>>
>> James
>>
>>
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_sfd2d_oct
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20121019/bb024103/attachment.html>


More information about the Snort-sigs mailing list