[Snort-users] PCRE and cross packet matching

Joel Esler jesler at ...1935...
Mon Aug 6 11:57:12 EDT 2012


On Aug 6, 2012, at 9:36 AM, Joel Esler <jesler at ...1935...> wrote:

>> BTW, if there are no "stream-based" equivalent to such keywords due to
>> resource/complexity issues, how about creating keywords explicitly for
>> the first packet of a stream - that is probably 99% of the problem area?

Also, just as an addendum, sorry for not posting it originally.

We do have a keyword upcoming in a future version of Snort that ensures that you are at the start of a stream, no matter what.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120806/cb29c301/attachment.html>


More information about the Snort-users mailing list