[Snort-sigs] Matching question

Ron iago at ...3116...
Tue Jul 19 06:22:51 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Does "distance" mean absolute relative distance?

The reason I had depth: 0 is because the FF 51 is at the start of the
packet.

Here are a couple examples of packets (I'm going to mix hex and ascii
where it's easier:

"|FF 51 09 00 01 00 00 00 00|"
"|FF 51 11 00 01 00 00 00|error text|00|"

The packets are in the form:
FF
51
packet size (2 bytes, little endian)
status code (4 bytes, little endian)
error string (null terminated string)

What I want to detect is that the packet starts with |FF 51|, I don't
care about the size, I want to detect a certain error code (|01 00 00
00|), and I don't care about the error text.

Will depth:0 and distance:1 accomplish that uniquely?

Thanks
Ron

Jason Brvenik wrote:
> you are a little off in the depth area.
> 
> content:"|FF 51|"; content:"|00 01 02 00 00|"; distance:1
> 
> is more likely what you want.
> 
> are there any other unique bits?
> 
> can you send a sample pkt with some background
> 
> Ron wrote:
> 
> I have a pretty simple question, with hopefully a simple answer.
> 
> I'd like to match a packet that looks like this:
> |FF 51 xx 00 01 02 00 00 ...|
> 
> That is, starting with FF 51, then any byte, then 00 01 02 00 00, then
> any other number of bytes.
> 
> This is what I have now:
> content:"|FF 51|"; depth:0; content:"|00 01 02 00 00|"
> 
> But that's going to hit some false positives.
> 
> Any ideas?
>>
>>
- -------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>

> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.9.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC3P1MfqSf2EkP4p4RAmCQAJ94bng864OfNNMqUfr63N14u6PDjwCfT1LZ
yrSpimuFQQfE7Uumg7cWBP8=
=YnbI
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list