Re: IPID field filtering

[Geoffrey Serrao <gserrao () sourcefire com>]

Hey Fraser,

Are you using the id:<number>; rule option? Is it possible to convert the
ascii you want to match to it's decimal representation?

For instance,

ascii "AA" in the IPID field would be 0x4141 in hex and 16705 in decimal.



On Thu, Feb 25, 2016 at 7:56 AM, Mcintosh, Fraser <
40121324 () live napier ac uk> wrote:

> Good afternoon!
>
>
> I am a computer security student currently undertaking an Honours project
> on covert channels and steganography. I tried to use Snort to raise an
> alert if it finds ASCII characters in the IPID field of frames. However, I
> keep getting an error message saying that the value has to be a number when
> filtering the IPID field. After trying to find a reason as to why Snort
> doesn't allow this I found nothing. Therefore I would be very greatful if
> someone could offer an explanation as to why Snort does not support
> filtering against strings for the IPID field.
>
>
> Many thanks, Fraser McIntosh.
>
> This message and its attachment(s) are intended for the addressee(s) only
> and should not be read, copied, disclosed, forwarded or relied upon by any
> person other than the intended addressee(s) without the permission of the
> sender. If you are not the intended addressee you must not take any action
> based on this message and its attachment(s) nor must you copy or show them
> to anyone. Please respond to the sender and ensure that this message and
> its attachment(s) are deleted.
>
> It is your responsibility to ensure that this message and its
> attachment(s) are scanned for viruses or other defects. Edinburgh Napier
> University does not accept liability for any loss or damage which may
> result from this message or its attachment(s), or for errors or omissions
> arising after it was sent. Email is not a secure medium. Emails entering
> Edinburgh Napier University's system are subject to routine monitoring and
> filtering by Edinburgh Napier University.
>
> Edinburgh Napier University is a registered Scottish charity. Registration
> number SC018373
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!