[Snort-sigs] Snort rule for a pattern match?

Lay, James james.lay at ...3513...
Tue Mar 26 15:28:50 EDT 2013

From: Shields, Joseph (NIH/NIEHS) [C] [mailto:joseph.shields at ...3788...] 
Sent: Tuesday, March 26, 2013 12:02 PM
To: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Snort rule for a pattern match?


I'm reposting this question as I have not seen any responses yet.
Perhaps this can't be done at this time.




I am looking for a pattern that identifies a threat I am tracking and
need to write a signature to find it.  The problem is that I don't know
what the starting character will be but I will always know what the
difference between two given characters will be.


A simple, human readable, example is:




The difference between each character is:


[A] is 1 SMALLER than [B] is 1 SMALLER than [C] is 1 SMALLER than [D] is
16 SMALLER than [T] is 1 BIGGER than [S] is 1 BIGGER than [R] is 1
BIGGER than [Q]


The pattern in this example is -1,-1,-1,-16,+1,+1,+1.


BCDEXWVU would match this pattern and so would HIJKZXYW.


How can I write this rule?





What port are we talking here?  If this is port 80 then ick, but if it's
something obscure it could be as simple as a pcre and we could forego
the computations:




Got a pcap or is there ANYTHING that's a constant that we can also match



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130326/e34d0f04/attachment.html>

More information about the Snort-sigs mailing list