[Snort-devel] byte_extract addition?

Mike Cox mike.cox52 at ...2499...
Thu Oct 9 13:22:31 EDT 2014


Hi Snort-Dev,

I have come across a few situations in the past few weeks where it would be
useful to be able to do simple addition in rules without having to write a
SO rule.  I know that Snort has the byte_extract functionality and you can
provide a multiplier value to the extracted bytes before it gets stored in
the variable.  However, Are there any plans or thoughts that would allow
addition (similar to multiplier) of static values (or variables from
byte_extract) that would be applied to the extracted bytes before being
stored in the variable?

Or could byte_test be expanded to include simple addition?  For example, a
byte_test that checks if extracted_value1 > extracted_value2 + 12.

Thanks.

-Mike Cox
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141009/e19e1c55/attachment.html>


More information about the Snort-devel mailing list