Re: byte_jump

[Brian Caswell <bmc () snort org>]

On Feb 20, 2005, at 12:30 PM, mosquitooth () gmx net wrote:
> I'm not quite sure about the use of the multiplier statement, so would 
> this
> be correct?
>
> byte_jump: 2,4,big,multiplier 34;
>
> Is the string 'multiplier' necessary? I've not found any rule deployed 
> with
> snort that does use this multiplier...


Here is what your byte_jump would do;

starting 4 bytes into the packet, read 2 bytes and treat it as a big 
endian integer.  Multiply the result by 34, and jump that many bytes 
forwards from the end of the data we just read.

So if your packet in hex was:

00 00 00 00 00 01 00 11 22 33 44 55 66 77 88 99 00 11 22 33 44 55 66 77 
88 99 00 11 22 33 44 55 66 77 88 99 00 11 22 33 FF

Then the doe_ptr would be at the start of FF.

Brian



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users