[Snort-sigs] combining two rules?

Brian bmc at ...95...
Fri Feb 20 13:07:14 EST 2004


On Fri, Feb 20, 2004 at 01:10:57PM -0500, Steven Bairstow wrote:
> Is there any way that two rules that match on data differing only by
> one bit being set can be combined into one?  As an example, here
> were 28 becomes 29:
> 
> alert udp $HOME_NET any -> $HOME_NET any (msg:"test test 1"; content:"|28 10 4C 4F|";)
> alert udp $HOME_NET any -> $HOME_NET any (msg:"test test 2"; content:"|29 10 4C 4F|";)

This can be accomplished a few ways.

One, use pcre, which allows for ORing of contents.
alert udp $HOME_NET any -> $HOME_NET any (pcre:"/(\x28|\x29)\x10LO/"; content:"|10|LO"; distance:-3; within:3;)

use byte_test to check for the value numerically before the string.
alert udp $HOME_NET any -> $HOME_NET any (content:"|10 4C 4F|"; byte_test:1,>,39,-4,relative; byte_test:1,<,42,-4,relative;)

Neither is very pretty, but both should work well enough.

Brian




More information about the Snort-sigs mailing list