[Snort-sigs] Snort rule for a pattern match?
jesler at ...435...
Wed Mar 27 11:08:49 EDT 2013
On Mar 27, 2013, at 10:55 AM, lists at ...3397... wrote:
> On 03/27/2013 09:45 AM, Shields, Joseph (NIH/NIEHS) [C] wrote:
>> How can I write this rule?
> Write the PCRE and I'll write the rule. You have to use byte_test/byte_extract
> or PCRE. Either way, IHMO, Snort isn't the best place to do this level of
> complex packet analysis because it'll be a costly rule.
I agree with that, theoretically, if there is no other content match the rule will enter (performance wise) on every packet.
More information about the Snort-sigs