Snort mailing list archives
Query on byte_math operator
From: Santosh Subramanya via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 31 Aug 2020 06:56:44 +0000
Hi Team, I have a query on byte_math operator. Snort Manual says that value for rvalue in byte_math can be between 0 - 4294967295. Does this mean that byte_math will not support rvalue to have negative value? is there a way to store negative values in rvalue? I tried extracting negative value using byte_extract and reference that variable in rvalue, I get compilation error. Is there a way to test underflow or overflow conditions in byte_math?, like variable having 0xffffffff and after performing byte_math addition or subtraction , we can store that value(overflow or underflow value) in rvalue and later test that value using byte_test for overflow or underflow. Can you please provide answer to the above query. Thanks and Regards, Santosh Sophos Technologies Threat Researcher ________________________________ Sophos Technologies Private Limited Regd. Office: Sophos House, Saigulshan Complex, Beside White House, Panchvati Cross Road, Ahmedabad - 380006, Gujarat, India CIN: U72200GJ2006PTC047857 Sophos Ltd, a company registered in England and Wales number 2096520, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom.
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Query on byte_math operator Santosh Subramanya via Snort-sigs (Aug 31)