Detection of hex pattern given directly in a TCP header

[Маркин Юрий Витальевич <ustas () ispras ru>]

Hello,

I'm trying to create the Snort rule for detection hex pattern given
directly (like "|0a 01 0f 03|") in a TCP header (or IP payload). As far
as I know 'content' keyword can not help me because it is used to search
hex pattern in a transport layer protocol payload, but not in the
payload of network layer protocol. I tried to use 'offset' keyword with
a negative value to "move" a cursor to the left of the TCP payload, but
this method has failed.

Is it possible for Snort to detect hex pattern in a TCP header?

Thanks in advance.


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!