[Snort-sigs] Wanted somebody to develop new keyword "within_byte" ?

rmkml rmkml at ...324...
Thu Sep 20 07:45:44 EDT 2007


Hi,
ok Im explain my need for an example :
  ...37 07 01 02 03 04 05 06 07 36 01 06...
  ok first byte (and 10) is type request, finding by content:"|37|";
  ok second byte are len of value of type request (here 7 bytes)
  and next are continuation of value (01 02 03 04 05 06 07)
  10 byte are another type request, 11 byte are len of second type request...
I would like to be able to seek \x06 (for example) "within" len on second bytes ? (here 7 bytes len)
ok created this rules : content:"|37|"; content:"|06|"; within:10; distance:1;
but on this example, \x06 is found twice,
another example contains FP :
  ...37 07 01 02 03 04 05 05 07 36 01 06...
  snort rule: content:"|37|"; content:"|06|"; within:10; distance:1;

Somebody interested to develop new keyword: within_byte:X; ?
on my first example, snort rule match because \x06 is to find.
but second example not match my rule (and reduce FP).
X on my new keyword are number of bytes to pick up from the packet (max 4).
Best Regards
Rmkml




More information about the Snort-sigs mailing list