[Snort-users] Depth limit of binary flow using just pcre (no content option)
fc10011001 at ...11827...
Fri Jul 19 14:20:29 EDT 2013
I'd like to test just the first 500 bytes of a session for a pcre pattern.
I've seen port 80 session data with just raw tranfers, no http related
stuff. It appears the "depth" option must have a content check. I really
don't have a good content criteria to test for. My interest is strictly in
just a pattern. Any ideas on how to limit the testing to just 500 bytes
of any given session? I have some content only rules that are not alerting
when I added the pcre tests. I suspect trying to analyze all sessions and
all bytes for a dozen different patterns is a bit much to ask of Snort.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users