Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Urgent Pointer

From: Y M <snort () outlook com>
Date: Thu, 30 Jun 2016 17:42:04 +0000
I am not sure what are you trying to accomplish but have you checked the non-payload keywords "ack" and "flags" in 
Snort rules? These should have direct access to the headers. I bet your offset is acting on the payload rather than the 
headers and their fields. Here is the reference from Snort documentation: 
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node33.html


YM

3.6 Non-Payload Detection Rule Options<http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node33.html>
manual-snort-org.s3-website-us-east-1.amazonaws.com
3. 6 Non-Payload Detection Rule Options 3. 6. 1 fragoffset The fragoffset keyword allows one to compare the IP fragment 
offset field against a decimal value.





________________________________
From: Pittigher, Raymond <RPITTIGH () harris com>
Sent: Thursday, June 30, 2016 8:29 PM
To: snort-sigs () lists sourceforge net
Subject: [Snort-sigs] Urgent Pointer

I am trying, but have not succeeded yet, to read data in the "urgent pointer" or "acknowledgement number" fields. I am 
trying with the offset option assuming it must be a negative number? I am using snort on the command line with a pcap 
file. Anybody ever do this?
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: