From: Hui Cao (huica) Date: Tue, 3 Jan 2017 21:25:16 +0000 (-0500) Subject: Merge pull request #751 in SNORT/snort3 from doc_sdf2x3x to master X-Git-Tag: 3.0.0-233~122 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=13dfed66a612e182e9c730292e8874a9124f447b;p=thirdparty%2Fsnort3.git Merge pull request #751 in SNORT/snort3 from doc_sdf2x3x to master Squashed commit of the following: commit 042b8ad6e168b42e4fd46de8ebd5a10f46a86284 Author: Victor Roemer Date: Thu Dec 15 12:08:55 2016 -0500 SDF 2.x vs 3.x --- diff --git a/doc/differences.txt b/doc/differences.txt index cc4ef6b95..27fb343de 100644 --- a/doc/differences.txt +++ b/doc/differences.txt @@ -199,3 +199,21 @@ configure can be found by running the following command: snort --help-config http_inspect | grep http_inspect.profile +=== SDF Preprocessor + +The Snort 2.X SDF Preprocessor is gone, replaced by ips option `sd_pattern`. +The sd_pattern rule option is synonymous with the sd_pattern option used +for gid:138 rules, but has a different syntax. A major difference in syntax +is the use of Hyperscan pattern matching library which provides a regex +language similar to PCRE. + +To facilitate continued performance, sd_pattern rule option is implemented +with Hyperscan pattern matching library. The rule option is now also utilized +as a "fast pattern" in the Snort engine which provides a significant performance +improvement over the separate detection step of earlier implementations. + +The preprocessor alert SDF_COMBO_ALERT (139:1) has been removed and has no +replacement in Snort 3.X. This is because the rule offered no additional +value over gid:138 rules and was difficult to interpret the result of. + +For more information, See Features > Sensitive Data Filtering for details. diff --git a/tools/snort2lua/rule_states/rule_sd_pattern.cc b/tools/snort2lua/rule_states/rule_sd_pattern.cc index 6a944095f..0eb39de89 100644 --- a/tools/snort2lua/rule_states/rule_sd_pattern.cc +++ b/tools/snort2lua/rule_states/rule_sd_pattern.cc @@ -15,7 +15,7 @@ // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- -// rule_metadata.cc author Josh Rosenbaum +// rule_sd_pattern.cc author Victor Roemer #include #include