Query on byte_math operator

[Santosh Subramanya via Snort-sigs <snort-sigs () lists snort org>]

Hi Team,

I have a query on byte_math operator. Snort Manual says that value for rvalue in byte_math can be between 0 - 
4294967295. Does this mean that byte_math will not support rvalue to have negative value? is there a way to store 
negative values in rvalue?

I tried extracting negative value using byte_extract and reference that variable in rvalue, I get compilation error. Is 
there a way to test underflow or overflow conditions in byte_math?, like variable having 0xffffffff and after 
performing byte_math addition or subtraction , we can store that value(overflow or underflow value) in rvalue and later 
test that value using byte_test for overflow or underflow.

Can you please provide answer to the above query.

Thanks and Regards,
Santosh
Sophos Technologies
Threat Researcher




________________________________

Sophos Technologies Private Limited Regd. Office: Sophos House, Saigulshan Complex, Beside White House, Panchvati Cross 
Road, Ahmedabad - 380006, Gujarat, India CIN: U72200GJ2006PTC047857

Sophos Ltd, a company registered in England and Wales number 2096520, The Pentagon, Abingdon Science Park, Abingdon, 
OX14 3YP, United Kingdom.

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!