[Snort-users] Maximum length for Content String

Venkataramesh Bontupalli bontupalliv1 at ...16841...
Fri May 16 23:11:31 EDT 2014


Yes, the maximum length of the regex that could be possible for detection..

For example:
alert tcp any any --> any any(msg: 'attempted anonymous FTP access';
content:'anonymous'; sid: 100001;)

In this example the length of content string is 9(anonymous)

So i would to know what could be the maximum length of content string
possible..
On May 16, 2014 9:02 PM, "waldo kitty" <wkitty42 at ...14940...> wrote:

> On 5/16/2014 3:29 PM, Venkataramesh Bontupalli wrote:
> > Dear Snort Experts,
> >
> > Could you please tell me know the maximum allowable content string
> length and
> > also pcre string length in a typical snort rule for matching the
> malicious content.
>
> content string length? as in what? fast_pattern??
>
> i don't understand your question about pcre string length... are you
> talking
> about the length of the regex used in the detections or the length of
> strings
> that may match the regex??
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         Please *keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform
> available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140516/b6300f53/attachment.html>


More information about the Snort-users mailing list