[Snort-sigs] question on byte_jump

Joel Esler joel.esler at ...435...
Tue Feb 20 01:42:26 EST 2007


The "detection pointer" will be at the end of the previous content match.  Since Byte_jumps are essentially treated as content matches, it will be at the end of the previous jump.

J


On Tue, Feb 20, 2007 at 03:17:45PM +0900, it looks like Dongwook Kim sent me:
> 
>    Hi,
>    I'm trying to write a rule using byte_jump option.
>    The situation I've encountered is something like below.
>    content:"|00000000|"; byte_jump:4,0,relative;
>    byte_jump:4,0,relative,align;
>    In the second byte_jump above, where the detection pointer will be
>    relative to? Is it the last matched content |00000000| or whatever
>    point using the first byte_jump?
> 
> 
> 
>    D Kim

> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




+---------------------------------------------------------------------+
joel esler          senior security consultant         1-706-627-2101
         gpg key: http://demo.sourcefire.com/jesler.pgp.key
+---------------------------------------------------------------------+




More information about the Snort-sigs mailing list