Re: snort rule byte_test operator problem

[Paul Schmehl <pauls () utdallas edu>]

--On Tuesday, May 15, 2007 09:57:32 -0700 Jasmine Chua 
<babymagic_89 () yahoo com> wrote:

> Dear Snort users,
>
> I have been trying to figure out the snort rule option
> "byte_test".
> http://www.snort.org/docs/snort_htmanuals/htmanual_261/node203.html
>
> For instance, we have
>
> byte_test:4,>,128,relative;
>
> that will grab 4 bytes which happens to be "00 00 0F
> FF"
>
> So, in this case, how do I manually calculate to check
> if the above 4 bytes are actually > 128 or not?
> Problem is I do not know what does the value 128
> represent? Is it in decimal?
>
> Sorry, if my question sounds stupid, I really can't
> help it.

I had a fifth grade math teacher who said, "The only stupid question is the 
one you do not ask."

128 is decimal, but the packet is in hex.  So you have to convert from hex 
to decimal.  Most computers have a scientific calculator that will do this 
for you easily.  Click on hex.  Type in the values in the packet.  Then 
click on decimal.

In this case, |00 00 0F FF| = 4095.  Well beyond the 128 boundary.

--
Paul Schmehl (pauls () utdallas edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Attachment: _bin
Description:

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users