[Snort-users] MP3's are evil... Searching for traffic based upon uploaded file type...

Jason Haar Jason.Haar at ...294...
Thu Aug 5 21:01:40 EDT 2010


 On 08/06/2010 04:20 AM, Joel Esler wrote:
> As an aside, you can try, instead of removing your content, put it in
> addition to your PCRE.
>
> Place your pcre after your content and it's modifiers, and see if that
> makes a difference.
>

Hi Joel

Excuse my ignorance, but the order of content and pcre makes a
difference? Put it another way, is there any reason to ever have pcre
before content, and if not, why doesn't snort just re-order them during
parsing?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-users mailing list