[Snort-sigs] Couple sigs

lists at ...3397... lists at ...3397...
Mon Sep 10 12:09:41 EDT 2012


On 09/10/12 11:00, Alex Kirk wrote:
> single rule with a PCRE

I'm kind of partial to:

file_data; content:"<iframe "; nocase; content:"visibility|3a|hidden";
within:100; nocase; pcre:"/\x3ciframe[^\x3e]+[heigwdth]{5,6}[^\x3d]*?=[0-1][^\d]/i";

Not really sure though how to make that one performance friendly since the PCRE
engine may be invoked often.

Either way, good conversation James and Alex, I believe this theme to be very
useful.




More information about the Snort-sigs mailing list