[Oisf-devel] Suricata FN on http reply with file_data.
rmkml
rmkml at yahoo.fr
Thu Jun 28 23:05:22 UTC 2012
first rule version:
file_data; content:"xxx"; distance:0;
-> Suricata need adjust response-body-limit
what do you think second "rule like" version:
flowbits:isset,file_data; content:"xxx";
-> if flowbits flag is set, search xxx anyone after flowbits flag, without response-body-limit use ?
Regards
Rmkml
On Thu, 28 Jun 2012, Victor Julien wrote:
> On 06/29/2012 12:25 AM, rmkml wrote:
>> Hi Victor,
>>
>> Yes Im understand, for memory/performance reason,
>> but for a only content with distance (after file_data): why not simply
>> flag like flowbits on this "special" case?
>
> What do you mean? Don't understand how "flag like flowbits" would be
> related.
More information about the Oisf-devel
mailing list