Snort mailing list archives
Interpreting relative option in byte_test
From: Sushil Pangeni via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 12 Apr 2022 14:26:10 -0700
Hi All, I would like to request help in correctly interpreting the snort signature. I have a signature that uses a byte_test option with a relative keyword. However the signature has no content. How is the relative keyword supposed to behave in such cases? *alert tcp any any -> any any (msg:"test"; flow:to_server; byte_test:2,=,0x01,0; byte_jump:1,12; byte_test:2,=,0x02,0,relative; byte_test:2,=,0x03,3,relative; )* So as per snorts manual here <http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html?msclkid=24ba9a70ba9111ec900ad54a232c9dd8>, under section for byte_test under relative it says *"Use an offset relative to last pattern match"* So is the above rule invalid or is there some more interpretation to byte_test with relative. PS. This is my first post to this mailing group. Apologies if the email is not properly formed or this is not the right place for this question. Thanks, Sushil Pangeni
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Interpreting relative option in byte_test Sushil Pangeni via Snort-sigs (Apr 14)