[Snort-sigs] Could someone test a rule for me please?

Charlie Egan chas5873 at ...2420...
Thu Jul 3 06:39:41 EDT 2014

No worries Nathan!

Joel, I'm curious to what the |13| means in the content section? I can't
figure it out when looking at the stream content image I uploaded above
from Wireshark.

Your rule looks a lot better than mine, with the extra depth which I've
just read up about, so thanks for that.

Out of curiousity though, would my initial rule have worked without giving
out any false positives?


On Wed, Jul 2, 2014 at 7:17 PM, lists at ...3397... <lists at ...3397...>

> On 07/02/2014 12:56 PM, Joel Esler (jesler) wrote:
> > I think Nathan may have missed the “BitTorrent protocol” part.
> Without a doubt, I completely missed it.  I profusely apologize Charlie.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140703/2e836cca/attachment.html>

More information about the Snort-sigs mailing list