[Snort-devel] Bit Check Plug-In
cmg at ...402...
Sun Mar 24 11:20:05 EST 2002
"Coochey, Giles" <g.coochey at ...482...> writes:
> I am attaching the Bit Check Plugin as a patch for snort-daily.
> I'll also shortly be adding it to http://gc-spider.homeip.net
> It essentially takes three arguments:
> x is a byte location or offset below the TCP or UDP header of the packet.
> y is a AND value
> z is the required result
Good idea. I'm not crazy about the syntax though. Most (All?) of the
people that can author rules that require this plugin are used to C
syntax for this.
I would like to see it be
bit_check: byte 23 & 128; # byte 23 AND 128 is > 0
bit_check: byte 23 ^ 128; # byte 23 XOR 128 is > 0
I'd also like to see the arguments be specifiable in Hex.
Chris Green <cmg at ...402...>
This is my signature. There are many like it but this one is mine.
More information about the Snort-devel