[Snort-sigs] Snort rule for a pattern match?

Joel Esler jesler at ...435...
Tue Mar 26 14:31:37 EDT 2013


You can do this with a bunch of byte_extracts and byte_tests.  It would be complicated though.  (If I am reading your email correctly.)

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Mar 26, 2013, at 2:01 PM, "Shields, Joseph (NIH/NIEHS) [C]" <joseph.shields at ...3788...> wrote:

> I’m reposting this question as I have not seen any responses yet.  Perhaps this can’t be done at this time.
>  
> Brian
>  
> I am looking for a pattern that identifies a threat I am tracking and need to write a signature to find it.  The problem is that I don’t know what the starting character will be but I will always know what the difference between two given characters will be.
>  
> A simple, human readable, example is:
>  
> ABCDTSRQ
>  
> The difference between each character is:
>  
> [A] is 1 SMALLER than [B] is 1 SMALLER than [C] is 1 SMALLER than [D] is 16 SMALLER than [T] is 1 BIGGER than [S] is 1 BIGGER than [R] is 1 BIGGER than [Q]
>  
> The pattern in this example is -1,-1,-1,-16,+1,+1,+1.
>  
> BCDEXWVU would match this pattern and so would HIJKZXYW.
>  
> How can I write this rule?
>  
> Brian
>  
> ------------------------------------------------------------------------------
> Own the Future-Intel® Level Up Game Demo Contest 2013
> Rise to greatness in Intel's independent game demo contest.
> Compete for recognition, cash, and the chance to get your game 
> on Steam. $5K grand prize plus 10 genre and skill prizes. 
> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130326/0e6a55d3/attachment.html>


More information about the Snort-sigs mailing list