Snort mailing list archives
Re: byte_test
From: Todd Wease <twease () sourcefire com>
Date: Thu, 02 Aug 2007 12:57:31 -0400
snort user wrote:
Greetings. I have a test rule -- alert udp $EXTERNAL_NET any -> $HOME_NET any \ (msg:"AMD procedure 7 plog overflow "; \ content: "|00 04 93 F3|"; \ content: "|00 00 00 07|"; distance: 4; within: 4; \ byte_test: 4,>, 1000, 20, relative;) I need to generate a packet that triggers this rule. Everything is clear to me except the byte_test part. Can someone explain what 'byte_test: 4,>, 1000, 20, relative' means?
It means look at 4 bytes at offset 20 relative to the last match and if those 4 bytes are a number greater than 1000, the test passes.
What is to be there in the UDP payload to trigger this ?
First, there needs to be a match on |00 04 93 F3| in the packet. If a match is found, there needs to be the content |00 00 00 07|, starting 4 bytes away from the end of the first match. If this content is matched then the byte test if performed 20 bytes away from the end of this last match and the value of the next 4 bytes is used for the byte test comparison.
Thanks a lot
Todd ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- byte_test snort user (Aug 02)
- Re: byte_test Todd Wease (Aug 02)
- Re: byte_test Nigel Houghton (Aug 02)
- Re: byte_test Todd Wease (Aug 02)