[Snort-sigs] Snort rule for a pattern match?

Joel Esler jesler at ...435...
Wed Mar 27 11:08:49 EDT 2013


On Mar 27, 2013, at 10:55 AM, lists at ...3397... wrote:

> On 03/27/2013 09:45 AM, Shields, Joseph (NIH/NIEHS) [C] wrote:
>> How can I write this rule?
> 
> Write the PCRE and I'll write the rule.  You have to use byte_test/byte_extract
> or PCRE.  Either way, IHMO, Snort isn't the best place to do this level of
> complex packet analysis because it'll be a costly rule.

I agree with that, theoretically, if there is no other content match the rule will enter (performance wise) on every packet.





More information about the Snort-sigs mailing list