[Oisf-users] false alerts?
Victor Julien
lists at inliniac.net
Wed Mar 27 14:54:18 UTC 2013
On 03/27/2013 01:03 PM, Jose Paulo wrote:
> 1) Why I'm getting alerts for sid's 9000004,5 for the same packet if the
> offset is shifted?
The offset only determines where we _start_ looking for the pattern. If
the pattern occurs in the payload anywhere after it, we'll match.
If you want to pin point matching to specific bytes at specific offsets,
you should also add the "depth" keyword.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list