[Snort-users] PCRE and cross packet matching
jesler at ...1935...
Mon Aug 6 09:36:35 EDT 2012
On Aug 5, 2012, at 5:51 PM, Jason Haar <Jason_Haar at ...15306...> wrote:
> In a similar vein, "distance" only applies at the packet level: is there
> an equivalent keyword that applies at the stream level?
Incorrect. It applies for both.
> The "distance:0" is the problem: the *intent* of the rule is to match
> against the first chars in a TCP stream, whereas it's hitting the first
> chars in any packet of an existing stream. So is there a better way of
> doing that?
> BTW, if there are no "stream-based" equivalent to such keywords due to
> resource/complexity issues, how about creating keywords explicitly for
> the first packet of a stream - that is probably 99% of the problem area?
More information about the Snort-users