Re: spaces in signature content fields?

[mike hsar <anonisu () yahoo com>]

OK.  I guess then that there is no real significance
to other signautures that don't have the spaces?  For
example in the same backdoor.rules file the content
field for "BACKDOOR subseven 22" has no spaces:
"|0d0a5b52504c5d3030320d0a|".

mike

--- Erek Adams <erek () snort org> wrote:
> On Tue, 18 Feb 2003, mike hsar wrote:
>
> > Can anyone tell me if spaces are significant in
> hex
> > strings in snort signatures?  For example, in
> > backdoor.rules in snort 1.9.0, the signature for
> > "BACKDOOR DeepThroat 3.1 Server Active on Network"
> has
> > a content field of "|00 23|".  Could it just as
> well
> > be written as "|0023|"?
>
> It could, but it would be harder for us non-hex
> based folks to grok.  :)
>
> Since hex is usually listed as XX, it's simpler to
> read and follow the
> patterns if you have the space in there.  Besides,
> it makes cutting and
> pasting from a packet dump a cinch!  ;-)
>
> Cheers!
>
> -----
> Erek Adams
>
>    "When things get weird, the weird turn pro."  
> H.S. Thompson


__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users