Snort mailing list archives

Re: byte_extract addition?

From: "Ed Borgoyn (eborgoyn)" <eborgoyn () cisco com>
Date: Thu, 9 Oct 2014 18:44:04 +0000

Hello Mike,
  Thank you for the Snort improvement recommendation.  Of your two options, I would vote to add an ADDER modifier to 
byte_extract to accompany the MULTIPLIER modifier.

  I will vet the concept with the team.  If appropriate I will place it on the Snort new feature list.  (And provide 
you with the proper attribution.)

    Best Regards,
    Ed  Borgoyn, The Snort Development Team @Cisco


From: Mike Cox <mike.cox52 () gmail com<mailto:mike.cox52 () gmail com>>
Date: Thursday, October 9, 2014 at 1:22 PM
To: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists 
sourceforge net<mailto:snort-devel () lists sourceforge net>>
Subject: [Snort-devel] byte_extract addition?

Hi Snort-Dev,

I have come across a few situations in the past few weeks where it would be useful to be able to do simple addition in 
rules without having to write a SO rule.  I know that Snort has the byte_extract functionality and you can provide a 
multiplier value to the extracted bytes before it gets stored in the variable.  However, Are there any plans or 
thoughts that would allow addition (similar to multiplier) of static values (or variables from byte_extract) that would 
be applied to the extracted bytes before being stored in the variable?

Or could byte_test be expanded to include simple addition?  For example, a byte_test that checks if extracted_value1 > 
extracted_value2 + 12.

Thanks.

-Mike Cox

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

byte_extract addition? Mike Cox (Oct 09)
- Re: byte_extract addition? Ed Borgoyn (eborgoyn) (Oct 09)