byte_test

[Frank Garvis via Snort-sigs <snort-sigs () lists snort org>]

Hi all!

I’m trying to step through Snort rules because I have a general
understanding of how the rules work, but there are some finer points like
byte_test where I’m not sure how it fits into how a rule fires.  Let's take
sid:47477 for instance.  The rule fired but there's no content byte match
in the packet data.  I'm figuring that the byte_test only goes if the
content match fires, but in this case there isn't, so did the rule default
to the byte_match and match on that?  Also a bit fuzzy on how to read
"byte_test:2,>0x2710,76 little;"  So am I looking for 0x2710 after byte 2
offset?  I want to determine if this is a false positive and to tune the
rule, or if it's a true positive and I need to look into it further.   Any
help and/or references are appreciated!


Frank

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!