Re: Comparison of extracted value between packets

[Patrick Mullen <pmullen () sourcefire com>]

> In a flow-bit based rule, is it possible to extract value from packet A
and compare (byte_test) with a value in packet B.

The short answer is "no."

The medium answer is "well, it depends.  Are both packets coming from the
same host and going to the same host and is the stream reassembled, thereby
(potentially) putting the two values into the same reassembled packet?"

The long answer is "with shared object rules, all things are possible."

Sorry the answer is somewhat vague, but your question doesn't have enough
information to give a complete answer.  I would potentially need a pcap and
a clear description of what you're trying to do to give you a better answer.


Thanks,

~Patrick
-- 
Patrick Mullen
Response Research Manager
Sourcefire VRT

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!