Snort mailing list archives

Previous By Date Next
Previous By Thread Next

byte_test

From: "snort user" <snort.user () gmail com>
Date: Thu, 2 Aug 2007 12:27:04 -0400
Greetings.

I have a test rule --
alert udp $EXTERNAL_NET any -> $HOME_NET any \
(msg:"AMD procedure 7 plog overflow "; \
content: "|00 04 93 F3|"; \
content: "|00 00 00 07|"; distance: 4; within: 4; \
byte_test: 4,>, 1000, 20, relative;)

I need to generate a packet that triggers this rule.

Everything is clear to me except the byte_test part.

Can someone explain what 'byte_test: 4,>, 1000, 20, relative' means?

What is to be there in the UDP payload to trigger this ?



Thanks a lot

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: