Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: align option of byte_jump

From: Brian <bmc () snort org>
Date: Thu, 4 Sep 2003 17:09:34 -0400
On Thu, Sep 04, 2003 at 11:19:59AM -0700, Martin Hofmeister wrote:

alert udp any any -> any 32770:34000 (content: "| 00 01 86 B8 |"; \
                    content: "| 00 00 00 01|"; distance: 4; within: 4; \
                    byte_jump: 4, 12, relative, align; \
                    byte_test: 4, >, 900, 20, relative; \
                    msg: "statd format string buffer overflow";)

The byte_jump has specified 4 bytes to convert, so why would we need the 
"align" option in this example since we are already converting 32 bits 
(4 bytes)?


align tells byte_jump to jump to the end of the 32 bit boundry.

Example:
If the number you end up with is 9 bytes, when byte_jump jumps, it will jump
12 bytes.  (9, then end on the 32 bit boundry)

This is super useful in dealing with RPC traffic, since everything is
aligned on the 32 bit boundry.

-brian


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: