[Snort-sigs] Does anyone know how to check the urgent pointer (not the URG flag)?

Matthew Watchinski mwatchinski at ...435...
Fri Jul 16 09:26:23 EDT 2004


No rule keyword, but a BPF filter can be used on a collect binary or via 
snort command line.  Doing it on the command line will only capture the 
traffic provided by the filter and ignore the rest.

'tcp[18:2] != 0'

snort -vd 'tcp[18:2] != 0'

Cheers,
-matt

Joseph Gama wrote:

>Hello,
>
>I wanted to check the urgent pointer (offset 0x10) on
>a TCP packet. This is not the URG flag but the word
>after the checksum word in the packet. If you know it,
>please let me know.
>Thank you!
>
>Peace,
>
>Joseph Gama
>
>
>	
>		
>__________________________________
>Do you Yahoo!?
>New and Improved Yahoo! Mail - 100MB free storage!
>http://promotions.yahoo.com/new_mail 
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by BEA Weblogic Workshop
>FREE Java Enterprise J2EE developer tools!
>Get your free copy of BEA WebLogic Workshop 8.1 today.
>http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>  
>





More information about the Snort-sigs mailing list