Snort mailing list archives
Re: Content Usage
From: "Rodrigo B. Ramos" <rodrigo.ramos () triforsec com br>
Date: Thu, 25 Mar 2004 14:33:18 -0300
Hi, The search is done at the assembled packet. I do not know if there is a recommended general size. If you do not know where is the "string" that you are searching, then how can you define a size. IMHO a better idea is to try to analyze some packets with the "string" (work, virus, etc) that you are trying to detect and try to find a patterns. Best regards, Rodrigo Ramos http://www.triforsec.com.br http://www.defenselayer.com On Wed, 2004-03-24 at 22:13, Steve Johnson wrote:
Hi, Does using the "content" keyword without any attributes like depth means search for the string in the total assembled payload or search for the content in the unassembled first packet payload ? If the content is to be searched in the total assembled payload, for the sake of efficiency is there a recommended size of the assembled packet to check it in ? ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Content Usage Steve Johnson (Mar 24)
- <Possible follow-ups>
- Content Usage Steve Johnson (Mar 24)
- Re: Content Usage Rodrigo B. Ramos (Mar 25)