Snort mailing list archives
Detection of hex pattern given directly in a TCP header
From: Маркин Юрий Витальевич <ustas () ispras ru>
Date: Thu, 12 Oct 2017 13:13:30 +0300
Hello, I'm trying to create the Snort rule for detection hex pattern given directly (like "|0a 01 0f 03|") in a TCP header (or IP payload). As far as I know 'content' keyword can not help me because it is used to search hex pattern in a transport layer protocol payload, but not in the payload of network layer protocol. I tried to use 'offset' keyword with a negative value to "move" a cursor to the left of the TCP payload, but this method has failed. Is it possible for Snort to detect hex pattern in a TCP header? Thanks in advance. _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Detection of hex pattern given directly in a TCP header Маркин Юрий Витальевич (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header rmkml (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header Yury Markin (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header rmkml (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header Russ via Snort-sigs (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header ustas (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header Patrick Mullen (Oct 16)
- Re: Detection of hex pattern given directly in a TCP header Russ via Snort-sigs (Oct 24)
- Re: Detection of hex pattern given directly in a TCP header Yury Markin (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header rmkml (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header ustas (Oct 12)