[Snort-sigs] Matching question

Ron iago at ...3116...
Mon Jul 18 12:25:58 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have a pretty simple question, with hopefully a simple answer.

I'd like to match a packet that looks like this:
|FF 51 xx 00 01 02 00 00 ...|

That is, starting with FF 51, then any byte, then 00 01 02 00 00, then
any other number of bytes.

This is what I have now:
content:"|FF 51|"; depth:0; content:"|00 01 02 00 00|"

But that's going to hit some false positives.

Any ideas?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.9.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC3AGtfqSf2EkP4p4RAqnHAJ4wQ0ekwyDztTmbQE0/3aVKkjo4OQCff6XS
PjJQ9fxLb/Iiucxduwqq9bA=
=sqBm
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list