Snort mailing list archives
RE: Hardcore -r question
From: Mark Evans <Mark.Evans () Optimation co nz>
Date: Wed, 13 Jun 2001 12:58:37 +1200
note that 111 in binary is 01101111 and that 62319 in binary is 1111001101101111 so if you just look at the binary then they both match on the 2nd byte - the one that [3:1] looks at. it would have matched a whole load of other packets that ended 01101111 if you had received any. as i understand it (ymmv) cheers, -- me
From: Martin Roesch [mailto:roesch () sourcefire com] Subject: Re: [Snort-users] Hardcore -r question Try 'tcp[2:2] == 111', I bet that'll work. BPF starts counting at zero for headers, so tcp[0:2] covers the first 16-bits of the tcp header, tcp[2:2] covers the second 16-bits (i.e. the destination port). You could also just say 'dst port 111'. -Marty John Sage wrote:I'm playing with using the -r switch and tcpdump syntax ona binary log file, and I'm having one heckuva time understanding why this command line:snort -dv -r snort-0609 () 0724 log 'tcp[3:1] == 111 ' returns what it does. I expect it to return packets with destination port 111,which it does,but WTF? it returns five other packets with a value of 62319 as the destination port, too.
[cut] _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Hardcore -r question John Sage (Jun 11)
- Re: Hardcore -r question Martin Roesch (Jun 11)
- Re: Hardcore -r question John Sage (Jun 11)
- <Possible follow-ups>
- RE: Hardcore -r question Mark Evans (Jun 12)
- Re: Hardcore -r question John Sage (Jun 12)
- Re: Hardcore -r question Martin Roesch (Jun 11)