Snort mailing list archives

byte_test only on reassembled stream?

From: Duane Howard <duane.security () gmail com>
Date: Fri, 11 Dec 2015 11:04:25 -0800

I currently have a rule that looks for something like:

flow:established,from_server; byte_test:1,&,0x82,2;


I have a payload that is a UDP fragment that is tripping this up where the
bytes in the inspected position are 0x87 but on the fully reassembled
stream (and what Snort logs in the pseudopacket) is 0x84.

I'm really only interested in the value from the reassembled part of this,
and not the bits in the data section of the initial fragment, is this
working as intended? Is there a way to accomplish what I want (only match
on the pseudo packet/reassembled byte stream?).

Thanks,
Duane

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

byte_test only on reassembled stream? Duane Howard (Dec 11)