Snort mailing list archives
Re: Could someone test a rule for me please?
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 7 Jul 2014 12:37:23 +0000
|13| means “look for 13, in hex (as opposed to ascii)” In Bitorrent, this is the Protocol Name Length field. Which is always set to 19. (|13| in hex). Then "protocol name" = “BitTorrent Protocol”. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team On Jul 7, 2014, at 6:43 AM, Charlie Egan <chas5873 () gmail com<mailto:chas5873 () gmail com>> wrote: Sorry to be a pain guys, could somebody get back to me regarding my last query? Cheers, Charlie On Thu, Jul 3, 2014 at 11:39 AM, Charlie Egan <chas5873 () gmail com<mailto:chas5873 () gmail com>> wrote: No worries Nathan! Joel, I'm curious to what the |13| means in the content section? I can't figure it out when looking at the stream content image I uploaded above from Wireshark. Your rule looks a lot better than mine, with the extra depth which I've just read up about, so thanks for that. Out of curiousity though, would my initial rule have worked without giving out any false positives? Cheers On Wed, Jul 2, 2014 at 7:17 PM, lists () packetmail net<mailto:lists () packetmail net> <lists () packetmail net<mailto:lists () packetmail net>> wrote: On 07/02/2014 12:56 PM, Joel Esler (jesler) wrote:
I think Nathan may have missed the “BitTorrent protocol” part.
Without a doubt, I completely missed it. I profusely apologize Charlie.
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Could someone test a rule for me please? Charlie Egan (Jul 02)
- Re: Could someone test a rule for me please? lists () packetmail net (Jul 02)
- Re: Could someone test a rule for me please? Charlie Egan (Jul 02)
- Re: Could someone test a rule for me please? Joel Esler (jesler) (Jul 02)
- Re: Could someone test a rule for me please? lists () packetmail net (Jul 02)
- Re: Could someone test a rule for me please? Charlie Egan (Jul 03)
- Re: Could someone test a rule for me please? Charlie Egan (Jul 07)
- Re: Could someone test a rule for me please? Joel Esler (jesler) (Jul 07)
- Re: Could someone test a rule for me please? Charlie Egan (Jul 07)
- Re: Could someone test a rule for me please? Charlie Egan (Jul 09)
- Re: Could someone test a rule for me please? Joel Esler (jesler) (Jul 09)
- Re: Could someone test a rule for me please? Charlie Egan (Jul 02)
- Re: Could someone test a rule for me please? lists () packetmail net (Jul 02)
- Re: Could someone test a rule for me please? Joel Esler (jesler) (Jul 02)
- Re: Could someone test a rule for me please? Charlie Egan (Jul 09)
- Re: Could someone test a rule for me please? Joel Esler (jesler) (Jul 09)
- Re: Could someone test a rule for me please? Jamie Riden (Jul 09)