[Snort-devel] Bit Check Plug-In

Coochey, Giles g.coochey at ...482...
Sun Mar 24 11:45:02 EST 2002


>
> Good idea. I'm not crazy about the syntax though.  Most (All?) of the
> people that can author rules that require this plugin are used to C
> syntax for this.
>
True

> I would like to see it be
>
> bit_check: byte 23 & 128;  # byte 23 AND 128 is > 0
> bit_check: byte 23 ^ 128;  # byte 23 XOR 128 is > 0
>
> I'd also like to see the arguments be specifiable in Hex.
> --

Thanks - I'll look into that, although checking for a bit = 0 does have as
much value as whether it is 1 and still only call the plugin once. I'll look
into seeing whether it can be improved to support bit logic in general -
First thoughts are that it wouldn't be too difficult.

Thanks again,

Giles





More information about the Snort-devel mailing list