Snort mailing list archives
byte_test
From: Frank Garvis via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 23 Mar 2020 08:32:51 -0400
Hi all! I’m trying to step through Snort rules because I have a general understanding of how the rules work, but there are some finer points like byte_test where I’m not sure how it fits into how a rule fires. Let's take sid:47477 for instance. The rule fired but there's no content byte match in the packet data. I'm figuring that the byte_test only goes if the content match fires, but in this case there isn't, so did the rule default to the byte_match and match on that? Also a bit fuzzy on how to read "byte_test:2,>0x2710,76 little;" So am I looking for 0x2710 after byte 2 offset? I want to determine if this is a false positive and to tune the rule, or if it's a true positive and I need to look into it further. Any help and/or references are appreciated! Frank
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- byte_test Frank Garvis via Snort-sigs (Mar 25)
- Re: byte_test Joel Esler (jesler) via Snort-sigs (Mar 25)
- Re: byte_test Joel Esler (jesler) via Snort-sigs (Mar 25)
- Re: byte_test Joel Esler (jesler) via Snort-sigs (Mar 25)