Snort mailing list archives
base64_data offset question
From: Duane Howard via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 5 Dec 2019 21:18:28 -0800
I've seen a few rules[0][1] included in the Registered ruleset on snort.org that contain something like: base64_decode:bytes 1000,offset 0,relative; The snort user-manual, however, explicitly states[2] that offset: Determines the offset relative to the doe_ptr when the option relative is specified or relative to the start of the packet payload to begin inspection of base64 encoded data. *This argument takes positive and non-zero values only.* I presume the documentation is incorrect in this case? otherwise there are a few rules in the community set that exhibit this behavior and could be corrected. Thanks, Duane [0] sid:51438 [1] sid:52028 [2] http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION004529000000000000000
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- base64_data offset question Duane Howard via Snort-sigs (Dec 05)