-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tuesday, March 11, 2003, at 12:32 AM, Loki wrote:
> One thing to mention, the exploit wouldn't have triggered any of the
> "official" snort rules in my post as I disabled all rules except for my
> own custom rules file: fatelabs.rules.
Sid numbering:
0-100: Reserved for Marty
101-1000000: Snort.org "official" rules
1000001-2^32: Userland.
> Your confusion as to why the official snort rules using depth and mine
> which do not, both causing it to trigger really has nothing to do with
> depth. Specifying depth tells Snort not to look past 'n' bytes within
> the packet (a way of increasing the speed of Snort processing packets.
There's a big difference between using the depth/offset options
properly and incorrectly. When used properly (which usually requires
an intimate knowledge of the protocol you're analyzing) it works very
well, people who are inexperienced with Snort and network protocol
analysis should think twice about using these options.
-Marty
- --
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roeschat_private - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)
iD8DBQE+cWKLqj0FAQQ3KOARAqQTAJ9fDUgq8j+T5w/lxE1HCeNxp5xHmwCfXFNf
3GbNE3YsqnyW+aVxOUnrXr4=
=mKXU
-----END PGP SIGNATURE-----
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Fri Mar 14 2003 - 09:30:29 PST