Snort mailing list archives
Re: byte_jump
From: Brian Caswell <bmc () snort org>
Date: Sun, 20 Feb 2005 17:50:18 -0500
On Feb 20, 2005, at 12:30 PM, mosquitooth () gmx net wrote:
I'm not quite sure about the use of the multiplier statement, so would thisbe correct? byte_jump: 2,4,big,multiplier 34;Is the string 'multiplier' necessary? I've not found any rule deployed withsnort that does use this multiplier...
Here is what your byte_jump would do;starting 4 bytes into the packet, read 2 bytes and treat it as a big endian integer. Multiply the result by 34, and jump that many bytes forwards from the end of the data we just read.
So if your packet in hex was:00 00 00 00 00 01 00 11 22 33 44 55 66 77 88 99 00 11 22 33 44 55 66 77 88 99 00 11 22 33 44 55 66 77 88 99 00 11 22 33 FF
Then the doe_ptr would be at the start of FF. Brian ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- byte_jump mosquitooth (Feb 20)
- Re: byte_jump Brian Caswell (Feb 20)