Snort mailing list archives
Re: byte_test
From: "Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Wed, 25 Mar 2020 14:34:40 +0000
It’s measuring two bytes that are 76 bytes from the beginning of the packet (notice there is no “relative” in that rule option), and it measures those bytes to see if they are greater than 0x2710, in little endian. If you are experiencing any false positives with that rule, please report them! https://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html <https://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html> -- Joel Esler Manager, Communities Division Cisco Talos Intelligence Group http://www.talosintelligence.com | https://www.snort.org
On Mar 23, 2020, at 8:32 AM, Frank Garvis via Snort-sigs <snort-sigs () lists snort org> wrote: Hi all! I’m trying to step through Snort rules because I have a general understanding of how the rules work, but there are some finer points like byte_test where I’m not sure how it fits into how a rule fires. Let's take sid:47477 for instance. The rule fired but there's no content byte match in the packet data. I'm figuring that the byte_test only goes if the content match fires, but in this case there isn't, so did the rule default to the byte_match and match on that? Also a bit fuzzy on how to read "byte_test:2,>0x2710,76 little;" So am I looking for 0x2710 after byte 2 offset? I want to determine if this is a false positive and to tune the rule, or if it's a true positive and I need to look into it further. Any help and/or references are appreciated! Frank _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Attachment:
smime.p7s
Description:
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- byte_test Frank Garvis via Snort-sigs (Mar 25)
- Re: byte_test Joel Esler (jesler) via Snort-sigs (Mar 25)
- Re: byte_test Joel Esler (jesler) via Snort-sigs (Mar 25)
- Re: byte_test Joel Esler (jesler) via Snort-sigs (Mar 25)