[Snort-devel] Bit Check Plug-In

Chris Green cmg at ...402...
Sun Mar 24 11:20:05 EST 2002


"Coochey, Giles" <g.coochey at ...482...> writes:

> I am attaching the Bit Check Plugin as a patch for snort-daily.
>
> I'll also shortly be adding it to http://gc-spider.homeip.net
>
> It essentially takes three arguments:
>
> bit:x,y,z;
>
> x is a byte location or offset below the TCP or UDP header of the packet.
> y is a AND value
> z is the required result


Good idea. I'm not crazy about the syntax though.  Most (All?) of the
people that can author rules that require this plugin are used to C
syntax for this.

I would like to see it be

bit_check: byte 23 & 128;  # byte 23 AND 128 is > 0
bit_check: byte 23 ^ 128;  # byte 23 XOR 128 is > 0

I'd also like to see the arguments be specifiable in Hex.
-- 
Chris Green <cmg at ...402...>
This is my signature. There are many like it but this one is mine.





More information about the Snort-devel mailing list