From 13dfed66a612e182e9c730292e8874a9124f447b Mon Sep 17 00:00:00 2001 From: "Hui Cao (huica)" Date: Tue, 3 Jan 2017 16:25:16 -0500 Subject: [PATCH] Merge pull request #751 in SNORT/snort3 from doc_sdf2x3x to master Squashed commit of the following: commit 042b8ad6e168b42e4fd46de8ebd5a10f46a86284 Author: Victor Roemer Date: Thu Dec 15 12:08:55 2016 -0500 SDF 2.x vs 3.x --- doc/differences.txt | 18 ++++++++++++++++++ tools/snort2lua/rule_states/rule_sd_pattern.cc | 2 +- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/doc/differences.txt b/doc/differences.txt index cc4ef6b95..27fb343de 100644 --- a/doc/differences.txt +++ b/doc/differences.txt @@ -199,3 +199,21 @@ configure can be found by running the following command: snort --help-config http_inspect | grep http_inspect.profile +=== SDF Preprocessor + +The Snort 2.X SDF Preprocessor is gone, replaced by ips option `sd_pattern`. +The sd_pattern rule option is synonymous with the sd_pattern option used +for gid:138 rules, but has a different syntax. A major difference in syntax +is the use of Hyperscan pattern matching library which provides a regex +language similar to PCRE. + +To facilitate continued performance, sd_pattern rule option is implemented +with Hyperscan pattern matching library. The rule option is now also utilized +as a "fast pattern" in the Snort engine which provides a significant performance +improvement over the separate detection step of earlier implementations. + +The preprocessor alert SDF_COMBO_ALERT (139:1) has been removed and has no +replacement in Snort 3.X. This is because the rule offered no additional +value over gid:138 rules and was difficult to interpret the result of. + +For more information, See Features > Sensitive Data Filtering for details. diff --git a/tools/snort2lua/rule_states/rule_sd_pattern.cc b/tools/snort2lua/rule_states/rule_sd_pattern.cc index 6a944095f..0eb39de89 100644 --- a/tools/snort2lua/rule_states/rule_sd_pattern.cc +++ b/tools/snort2lua/rule_states/rule_sd_pattern.cc @@ -15,7 +15,7 @@ // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- -// rule_metadata.cc author Josh Rosenbaum +// rule_sd_pattern.cc author Victor Roemer #include #include -- 2.47.2