[Snort-sigs] Snort rule for a pattern match?
james.lay at ...3513...
Tue Mar 26 15:28:50 EDT 2013
From: Shields, Joseph (NIH/NIEHS) [C] [mailto:joseph.shields at ...3788...]
Sent: Tuesday, March 26, 2013 12:02 PM
To: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Snort rule for a pattern match?
I'm reposting this question as I have not seen any responses yet.
Perhaps this can't be done at this time.
I am looking for a pattern that identifies a threat I am tracking and
need to write a signature to find it. The problem is that I don't know
what the starting character will be but I will always know what the
difference between two given characters will be.
A simple, human readable, example is:
The difference between each character is:
[A] is 1 SMALLER than [B] is 1 SMALLER than [C] is 1 SMALLER than [D] is
16 SMALLER than [T] is 1 BIGGER than [S] is 1 BIGGER than [R] is 1
BIGGER than [Q]
The pattern in this example is -1,-1,-1,-16,+1,+1,+1.
BCDEXWVU would match this pattern and so would HIJKZXYW.
How can I write this rule?
What port are we talking here? If this is port 80 then ick, but if it's
something obscure it could be as simple as a pcre and we could forego
Got a pcap or is there ANYTHING that's a constant that we can also match
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs