[Snort-sigs] Matching question

Jason Brvenik jasonb at ...435...
Mon Jul 18 21:37:01 EDT 2005


you are a little off on the depth area.

content:"|FF 51|"; content:"|00 01 02 00 00|"; distance:1

is more likely what you want.

are there any other unique bits?

can you send a sample pkt with some background

Ron wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I have a pretty simple question, with hopefully a simple answer.
> 
> I'd like to match a packet that looks like this:
> |FF 51 xx 00 01 02 00 00 ...|
> 
> That is, starting with FF 51, then any byte, then 00 01 02 00 00, then
> any other number of bytes.
> 
> This is what I have now:
> content:"|FF 51|"; depth:0; content:"|00 01 02 00 00|"
> 
> But that's going to hit some false positives.
> 
> Any ideas?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.9.15 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFC3AGtfqSf2EkP4p4RAqnHAJ4wQ0ekwyDztTmbQE0/3aVKkjo4OQCff6XS
> PjJQ9fxLb/Iiucxduwqq9bA=
> =sqBm
> -----END PGP SIGNATURE-----
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 




More information about the Snort-sigs mailing list