[Snort-users] Depth limit of binary flow using just pcre (no content option)

Frank Calone fc10011001 at ...11827...
Fri Jul 19 14:20:29 EDT 2013


I'd like to test just the first 500 bytes of a session for a pcre pattern.
I've seen port 80 session data with just raw tranfers, no http related
stuff.  It appears the "depth" option must have a content check.  I really
don't have a good content criteria to test for.  My interest is strictly in
just a pattern.  Any ideas on how to limit the testing to just 500 bytes
of any given session?  I have some content only rules that are not alerting
when I added the pcre tests.  I suspect trying to analyze all sessions and
all bytes for a dozen different patterns is a bit much to ask of Snort.

Frank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130719/83abe620/attachment.html>


More information about the Snort-users mailing list