[Snort-sigs] Could someone test a rule for me please?

Joel Esler (jesler) jesler at ...3865...
Mon Jul 7 08:37:23 EDT 2014

|13| means “look for 13, in hex (as opposed to ascii)”  In Bitorrent, this is the Protocol Name Length field.  Which is always set to 19. (|13| in hex).  Then "protocol name" = “BitTorrent Protocol”.

Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

On Jul 7, 2014, at 6:43 AM, Charlie Egan <chas5873 at ...2420...<mailto:chas5873 at ...2420...>> wrote:

Sorry to be a pain guys, could somebody get back to me regarding my last query?



On Thu, Jul 3, 2014 at 11:39 AM, Charlie Egan <chas5873 at ...2420...<mailto:chas5873 at ...2420...>> wrote:
No worries Nathan!

Joel, I'm curious to what the |13| means in the content section? I can't figure it out when looking at the stream content image I uploaded above from Wireshark.

Your rule looks a lot better than mine, with the extra depth which I've just read up about, so thanks for that.

Out of curiousity though, would my initial rule have worked without giving out any false positives?


On Wed, Jul 2, 2014 at 7:17 PM, lists at ...3397...<mailto:lists at ...3397...> <lists at ...3397...<mailto:lists at ...3397...>> wrote:
On 07/02/2014 12:56 PM, Joel Esler (jesler) wrote:
> I think Nathan may have missed the “BitTorrent protocol” part.

Without a doubt, I completely missed it.  I profusely apologize Charlie.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140707/de346634/attachment.html>

More information about the Snort-sigs mailing list