FW: Snort rule for a pattern match?

["Shields, Joseph (NIH/NIEHS) [C]" <joseph.shields () nih gov>]

I am looking for a pattern that identifies a threat I am tracking and need to write a signature to find it.  The 
problem is that I don't know what the starting character will be but I will always know what the difference between two 
given characters will be.

A simple, human readable, example is:

ABCDTSRQ

The difference between each character is:

[A] is 1 SMALLER than [B] is 1 SMALLER than [C] is 1 SMALLER than [D] is 16 SMALLER than [T] is 1 BIGGER than [S] is 1 
BIGGER than [R] is 1 BIGGER than [Q]

The pattern in this example is -1,-1,-1,-16,+1,+1,+1.

BCDEXWVU would match this pattern and so would HIJKZXYW.

How can I write this rule?

Brian

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!