Re: Quick Question.

[Erek Adams <erek () snort org>]

On Wed, 12 Mar 2003, Chris Keladis wrote:

[...snip...]

> In Snort 1.9.1, i've noticed in some rules, in their content option,
> match multiple hex values. Eg, content:"|00|4141|" etc etc.
>
> Am i correct in assuming a rule with the content option above, will
> trigger only if byte 00 preceeds concurrent bytes 4141, and 00 can occur
> anywhere before the concurrent 4141 bytes, to get a match?

No, it's more like "If you see the hex values 00 41 41 (in that order)
then fire the alert."

> I suspect the above is true, which leads me to my next question, is
> there currently any way to 'anchor' bytes, and only match say, if the
> first byte == 0x00, and i can match 4141 anywhere else in the packet?
> (sort of like a regex for bytes rather than characters).

Yep.  Have a look at 'distance' and 'within'.  They will do what you want.
These may not be in the docs as of yet, so you'd best hit the mailing list
archives for exact details.  Check the one for snort-devel since that's
where it's gotten the most hits [0]...

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]
http://marc.theaimsgroup.com/?l=snort-devel&w=2&r=1&s=distance+within&q=b


-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users