Snort mailing list archives
Re: Max. allowed bytes to extract
From: Y M <snort () outlook com>
Date: Tue, 29 Mar 2016 20:09:13 +0000
Haa, I did not know that. Thanks Alex, this is helpful. YM ________________________________ From: Alex McDonnell <amcdonnell () sourcefire com> Sent: Tuesday, March 29, 2016 8:05 PM To: Y M Cc: snort-sigs Subject: Re: [Snort-sigs] Max. allowed bytes to extract Hi YM, a quick grep through the ruleset shows that those that byte_extract 10 bytes all use the "string" modifier. byte_extract of hex data is limited to 4 bytes. On Tue, Mar 29, 2016 at 3:57 PM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote: Hello all, While trying to use the byte_extract, I received an error message "byte_extract rule option cannot extract more than 4 bytes.". Looking at some existing signatures, some of the have 10 bytes to extract. I was not able to infer this from the documentation. Any idea what is the maximum allowed number of bytes to extract? Thanks. YM ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Max. allowed bytes to extract Y M (Mar 29)
- Re: Max. allowed bytes to extract Alex McDonnell (Mar 29)
- Re: Max. allowed bytes to extract Y M (Mar 29)
- Re: Max. allowed bytes to extract Alex McDonnell (Mar 29)