On Mar 19, 2009, at 4:30 PM, Paul Schmehl wrote:
--On Thursday, March 19, 2009 14:33:29 -0400 Joel Esler <[email protected]
> wrote:
Would this be an appropriate use for byte_test or byte_jump?
That's what I was referring to when I mentioned applications. The
problem with http traffic is that it's much more freeform and
doesn't lend itself to byte_test and byte_jump type tests.
I'd probably use a combination of isdataat and pcre for this. As
Marty said, 99.9999% of things can be found with plaintext Snort
rules. Anything else, you can use an .so rule for.
--
Joel Esler T: 302-223-5974 (-) Gtalk: [email protected]
[m]
