Snort mailing list archives
byte_test
From: "snort user" <snort.user () gmail com>
Date: Thu, 2 Aug 2007 12:27:04 -0400
Greetings. I have a test rule -- alert udp $EXTERNAL_NET any -> $HOME_NET any \ (msg:"AMD procedure 7 plog overflow "; \ content: "|00 04 93 F3|"; \ content: "|00 00 00 07|"; distance: 4; within: 4; \ byte_test: 4,>, 1000, 20, relative;) I need to generate a packet that triggers this rule. Everything is clear to me except the byte_test part. Can someone explain what 'byte_test: 4,>, 1000, 20, relative' means? What is to be there in the UDP payload to trigger this ? Thanks a lot ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- byte_test snort user (Aug 02)
- Re: byte_test Todd Wease (Aug 02)
- Re: byte_test Nigel Houghton (Aug 02)
- Re: byte_test Todd Wease (Aug 02)