[Snort-users] Anyones doomsday machine running low on IDS analyst tears?
william.metcalf at ...11827...
Wed Oct 6 16:57:36 EDT 2010
> No dice.. So I guess the take away here is that if you are moving to a
> VRT snort.conf or a 2.9.0 ruleset and you are running custom rules I
> would pay real close attention to debug-print-fast-pattern output. We
> are going through the poor performers now and making modifications
> where appropriate for ET rules, just thought folks might want to know
Forgot to add the bit about the solution. If you do end up using this
pm with the default options, for rules such as this use the
fast_pattern:<offset>,<length>; options... i.e.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Delf Checkin via HTTP (8)"; flow:established,to_server;
content:"POST"; http_method; content:".php"; http_uri; nocase;
content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)";
http_header; fast_pattern:30,20; content:"name="; http_client_body;
More information about the Snort-users