[Snort-sigs] question on byte_jump

Brian bmc at ...95...
Wed Feb 21 15:56:11 EST 2007


On Tue, Feb 20, 2007 at 03:17:45PM +0900, Dongwook Kim wrote:
> I'm trying to write a rule using byte_jump option.
> 
> The situation I've encountered is something like below.
> 
> content:"|00000000|"; byte_jump:4,0,relative; byte_jump:4,0,relative,align;

Instead of words, how about an example?  

The following hex-dump would match:

    00 00 00 00 00 00 00 01 
    FF 00 00 00 01 FF FF FF 
    FF 00 01 02 03

the following set of rule options:

    content:"|00000000|"; 
    byte_jump:4,0,relative;
    byte_jump:4,0,relative,align; 
    content:"|0 01 02 03|"; within:4;

Brian




More information about the Snort-sigs mailing list