Snort mailing list archives

Re: Question regarding content of a rule

From: "Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Mon, 27 Jul 2020 13:52:44 +0000

This rule has been deleted, however.

Digits in between pipes (for instance below |09|) is looking for 09 in hex, not ascii.

Since this is a DNS lookup, |09| is the number of bytes in the next sequence “tiptronic”.

On Jul 27, 2020, at 7:37 AM, Matej Lietava via Snort-sigs <snort-sigs () lists snort org> wrote:

Hi guys,

Sorry I am quite new to snort and I have been checking our the various rules that are in the snort3 rules file.I am 
writing my on rule parser and small detection engine that will work off of the snort rules. I have been trying to 
understand the rule options but I am quite confused when it comes to some of the content options. Some of the 
signatures are just byte code indicated by |. I understand that but I don't understand what it means when there are 
strings and bytecode in the same content signature such as for rule SID: 32385 where it is content: 
"|09|tiptronic|04|soxx|02|us|00|". DOes this mean that the byte code 0x09 will be first and then immediately after 
the string tiptronic?
I am very confused in understanding how the signature works when there are bytecode and strings together.

Thank you.
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>

Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette 
<https://snort.org/faq/what-is-the-mailing-list-etiquette>

Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to 
catch the most <a href=" https://snort.org/downloads/#rule-downloads 
<https://snort.org/downloads/#rule-downloads>">emerging threats</a>!

Attachment: smime.p7s
Description:

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Question regarding content of a rule Matej Lietava via Snort-sigs (Jul 27)
- Re: Question regarding content of a rule Joel Esler (jesler) via Snort-sigs (Jul 27)