masqueraded content rules

[Fermin Galan Marquez <galan () dit upm es>]

Hello everyones,

I want to log packets with the (binary) pattern: 

1111 1111 1111 101x 1001 00xx

where x it's a non-signitificative bit.

(for courious, it is for detecting traffic of 
some MP3 files).

The firt thing that I thought was ussing eight
content rules:

log ... content: "|ff fa 90|";
log ... content: "|ff fa 91|";
log ... content: "|ff fa 92|";
log ... content: "|ff fa 93|";
log ... content: "|ff fb 90|";
log ... content: "|ff fb 91|";
log ... content: "|ff fb 92|";
log ... content: "|ff fb 93|";

But, it will be more simple (less rules to check
in the detection system) with only one rule
using a mask

1111 1111 1111 101x 1001 00xx  (pattern)
1111 1111 1111 1110 1111 1100  (mask)


log ... content: "|ff fa 90|"; mask: "|ff fe fc|"; (?)

My question is:

Do snort support masks on this way? (on other
words: is it possible to do something like
I have described above?)

Thanks in advance.

------------
Fermin Galan
galan () dit upm es
http://www.dit.upm.es/~galan

 


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users