Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Detection of hex pattern given directly in a TCP header

From: rmkml <rmkml () ligfy org>
Date: Thu, 12 Oct 2017 22:55:57 +0200 (CEST)
Try stream5 preproc with detect_anomalies enabled,

Could you share a pcap for testing ?

Best Regards
@Rmkml

On Thu, 12 Oct 2017, Yury Markin wrote:



Rmkml, thank you for the answer!

I want to detect packets with certain values of TCP options, e.g. packets with max segment size (1000) and window scale 
(0). It would be great if you can advise how this scenario may be implemented.

Best wishes, Ustas.

Чт 12.10.2017 20:34, rmkml пишет:
      Hi Ustas,

      Yes you are right, is not possible to detect content on tcp header,

      but could you describe more what you want to detect exactly on tcp header please ?

      Best Regards
      @Rmkml

      On Thu, 12 Oct 2017, Маркин Юрий Витальевич wrote:

            Hello,

            I'm trying to create the Snort rule for detection hex pattern given
            directly (like "|0a 01 0f 03|") in a TCP header (or IP payload). As far
            as I know 'content' keyword can not help me because it is used to search
            hex pattern in a transport layer protocol payload, but not in the
            payload of network layer protocol. I tried to use 'offset' keyword with
            a negative value to "move" a cursor to the left of the TCP payload, but
            this method has failed.

            Is it possible for Snort to detect hex pattern in a TCP header?

            Thanks in advance.


            _______________________________________________
            Snort-sigs mailing list
            Snort-sigs () lists snort org
            https://lists.snort.org/mailman/listinfo/snort-sigs

            http://www.snort.org

            Please visit http://blog.snort.org for the latest news about Snort!

            Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" 
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!





_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" 
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: