Snort mailing list archives
Re: Snort rule for a pattern match?
From: Jamie Riden <jamie.riden () gmail com>
Date: Tue, 26 Mar 2013 18:37:02 +0000
I hate to suggest such a kludge, but I'm going to anyway: Can you just generate all the possible rules using a perl script? Do we know what range of starting characters are possible? Joel will be along in a minute to tell you the proper way to do it :) On 26 March 2013 18:01, Shields, Joseph (NIH/NIEHS) [C] <joseph.shields () nih gov> wrote:
I’m reposting this question as I have not seen any responses yet. Perhaps this can’t be done at this time. Brian I am looking for a pattern that identifies a threat I am tracking and need to write a signature to find it. The problem is that I don’t know what the starting character will be but I will always know what the difference between two given characters will be. A simple, human readable, example is: ABCDTSRQ The difference between each character is: [A] is 1 SMALLER than [B] is 1 SMALLER than [C] is 1 SMALLER than [D] is 16 SMALLER than [T] is 1 BIGGER than [S] is 1 BIGGER than [R] is 1 BIGGER than [Q] The pattern in this example is -1,-1,-1,-16,+1,+1,+1. BCDEXWVU would match this pattern and so would HIJKZXYW. How can I write this rule? Brian ------------------------------------------------------------------------------ Own the Future-Intel® Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Jamie Riden / jamie () honeynet org / jamie.riden () gmail com http://uk.linkedin.com/in/jamieriden ------------------------------------------------------------------------------ Own the Future-Intel® Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 07)
- <Possible follow-ups>
- FW: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 07)
- Re: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 26)
- Re: Snort rule for a pattern match? Joel Esler (Mar 26)
- Re: Snort rule for a pattern match? Jamie Riden (Mar 26)
- Re: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 26)
- Re: Snort rule for a pattern match? Lay, James (Mar 26)
- Re: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 26)
- Re: Snort rule for a pattern match? Lay, James (Mar 27)
- Re: Snort rule for a pattern match? lists () packetmail net (Mar 27)
- Re: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 27)
- Re: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 27)
- Re: Snort rule for a pattern match? lists () packetmail net (Mar 27)
- Re: Snort rule for a pattern match? Joel Esler (Mar 27)
- Re: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 26)