Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: spaces in signature content fields?

From: Erek Adams <erek () snort org>
Date: Tue, 18 Feb 2003 14:51:21 -0500 (EST)
On Tue, 18 Feb 2003, mike hsar wrote:


Can anyone tell me if spaces are significant in hex
strings in snort signatures?  For example, in
backdoor.rules in snort 1.9.0, the signature for
"BACKDOOR DeepThroat 3.1 Server Active on Network" has
a content field of "|00 23|".  Could it just as well
be written as "|0023|"?


It could, but it would be harder for us non-hex based folks to grok.  :)

Since hex is usually listed as XX, it's simpler to read and follow the
patterns if you have the space in there.  Besides, it makes cutting and
pasting from a packet dump a cinch!  ;-)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: