[Snort-sigs] How to filter by only the first 3 bytes of data?

Brian bmc at ...95...
Wed Jul 7 07:29:10 EDT 2004


On Tue, Jul 06, 2004 at 07:25:42PM -0700, Joseph Gama wrote:
> Hello!
> I am a newbie, so be gentle, ok? :)

We are, mostly. :)

> I am trying to create a rule that will look for the
> first 3 bytes of data in a UDP packet to se if they
> match 0x083A1.

Uh, except thats not what your rule looks for.

> content:"|08 3A 31|"; depth:3;

Try this:

content:"|00 83 A1|"; depth:3;

Brian




More information about the Snort-sigs mailing list