[Emerging-Sigs] Eleonore Drive By's and the Redirection To Them
evilghost at packetmail.net
Tue Oct 5 15:06:29 EDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
On 10/05/2010 02:03 PM, Eoin Miller wrote:
> We have had some weird issues with doing multiple content matches in the
> same buffer (by that I mean it does not alert as you would expect it
> to). I haven't tested this with 2.9.0 yet, but the 2.8.6.x's would not
> alert if you added http_cookie to the second content match (if my memory
> serves). We could use distance:N; but since we are content matching on
> just cookie values containing the first content in only the cookie
> field, I would guess the performance increase would be negligible.
I would love to hear more about this and will try to confirm on my end.
I wonder if the below would mitigate the issue? Basically constrain
both to the same normalized buffer and make it be relative to the
previous while keep the pointer in the same buffer.
content:"SL_"; http_cookie; content:"_0000="; http_cookie; distance:0;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Emerging-sigs