Snort mailing list archives
Re: snort rule byte_test operator problem
From: Paul Schmehl <pauls () utdallas edu>
Date: Tue, 15 May 2007 12:41:20 -0500
--On Tuesday, May 15, 2007 09:57:32 -0700 Jasmine Chua <babymagic_89 () yahoo com> wrote:
Dear Snort users, I have been trying to figure out the snort rule option "byte_test". http://www.snort.org/docs/snort_htmanuals/htmanual_261/node203.html For instance, we have byte_test:4,>,128,relative; that will grab 4 bytes which happens to be "00 00 0F FF" So, in this case, how do I manually calculate to check if the above 4 bytes are actually > 128 or not? Problem is I do not know what does the value 128 represent? Is it in decimal? Sorry, if my question sounds stupid, I really can't help it.
I had a fifth grade math teacher who said, "The only stupid question is the one you do not ask."
128 is decimal, but the packet is in hex. So you have to convert from hex to decimal. Most computers have a scientific calculator that will do this for you easily. Click on hex. Type in the values in the packet. Then click on decimal.
In this case, |00 00 0F FF| = 4095. Well beyond the 128 boundary. -- Paul Schmehl (pauls () utdallas edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Attachment:
_bin
Description:
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort rule byte_test operator problem Jasmine Chua (May 15)
- Re: snort rule byte_test operator problem Paul Schmehl (May 15)