Snort mailing list archives
Re: Quick Question.
From: Erek Adams <erek () snort org>
Date: Wed, 12 Mar 2003 09:44:24 -0500 (EST)
On Wed, 12 Mar 2003, Chris Keladis wrote: [...snip...]
In Snort 1.9.1, i've noticed in some rules, in their content option, match multiple hex values. Eg, content:"|00|4141|" etc etc. Am i correct in assuming a rule with the content option above, will trigger only if byte 00 preceeds concurrent bytes 4141, and 00 can occur anywhere before the concurrent 4141 bytes, to get a match?
No, it's more like "If you see the hex values 00 41 41 (in that order) then fire the alert."
I suspect the above is true, which leads me to my next question, is there currently any way to 'anchor' bytes, and only match say, if the first byte == 0x00, and i can match 4141 anywhere else in the packet? (sort of like a regex for bytes rather than characters).
Yep. Have a look at 'distance' and 'within'. They will do what you want. These may not be in the docs as of yet, so you'd best hit the mailing list archives for exact details. Check the one for snort-devel since that's where it's gotten the most hits [0]... Hope that helps! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] http://marc.theaimsgroup.com/?l=snort-devel&w=2&r=1&s=distance+within&q=b ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Quick Question. Chris Keladis (Mar 12)
- Re: Quick Question. Erek Adams (Mar 12)