Re: byte_test

[Todd Wease <twease () sourcefire com>]

snort user wrote:
> Greetings.
>
> I have a test rule --
> alert udp $EXTERNAL_NET any -> $HOME_NET any \
> (msg:"AMD procedure 7 plog overflow "; \
> content: "|00 04 93 F3|"; \
> content: "|00 00 00 07|"; distance: 4; within: 4; \
> byte_test: 4,>, 1000, 20, relative;)
>
> I need to generate a packet that triggers this rule.
>
> Everything is clear to me except the byte_test part.
>
> Can someone explain what 'byte_test: 4,>, 1000, 20, relative' means?

It means look at 4 bytes at offset 20 relative to the last match and if
those 4 bytes are a number greater than 1000, the test passes.

> What is to be there in the UDP payload to trigger this ?

First, there needs to be a match on |00 04 93 F3| in the packet.  If a
match is found, there needs to be the content |00 00 00 07|, starting 4
bytes away from the end of the first match.  If this content is matched
then the byte test if performed 20 bytes away from the end of this last
match and the value of the next 4 bytes is used for the byte test
comparison.

> Thanks a lot

Todd



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users