[Snort-users] PCRE and cross packet matching

Joel Esler jesler at ...1935...
Mon Aug 6 09:36:35 EDT 2012


On Aug 5, 2012, at 5:51 PM, Jason Haar <Jason_Haar at ...15306...> wrote:

> In a similar vein, "distance" only applies at the packet level: is there
> an equivalent keyword that applies at the stream level?
> 
Incorrect.  It applies for both.


> <snip>

> The "distance:0" is the problem: the *intent* of the rule is to match
> against the first chars in a TCP stream, whereas it's hitting the first
> chars in any packet of an existing stream. So is there a better way of
> doing that?
> 
> BTW, if there are no "stream-based" equivalent to such keywords due to
> resource/complexity issues, how about creating keywords explicitly for
> the first packet of a stream - that is probably 99% of the problem area?

http://manual.snort.org/node33.html#SECTION00469000000000000000

no_stream




More information about the Snort-users mailing list