[Snort-devel] Bit Check Plug-In
g.coochey at ...482...
Sun Mar 24 11:45:02 EST 2002
> Good idea. I'm not crazy about the syntax though. Most (All?) of the
> people that can author rules that require this plugin are used to C
> syntax for this.
> I would like to see it be
> bit_check: byte 23 & 128; # byte 23 AND 128 is > 0
> bit_check: byte 23 ^ 128; # byte 23 XOR 128 is > 0
> I'd also like to see the arguments be specifiable in Hex.
Thanks - I'll look into that, although checking for a bit = 0 does have as
much value as whether it is 1 and still only call the plugin once. I'll look
into seeing whether it can be improved to support bit logic in general -
First thoughts are that it wouldn't be too difficult.
More information about the Snort-devel