[Snort-sigs] Could someone test a rule for me please?

Charlie Egan chas5873 at ...2420...
Mon Jul 7 08:39:44 EDT 2014


Ah that makes sense now! Cheers for that Joel, appreciate it.


On Mon, Jul 7, 2014 at 1:37 PM, Joel Esler (jesler) <jesler at ...3865...>
wrote:

>  |13| means “look for 13, in hex (as opposed to ascii)”  In Bitorrent,
> this is the Protocol Name Length field.  Which is always set to 19. (|13|
> in hex).  Then "protocol name" = “BitTorrent Protocol”.
>
>  --
> *Joel Esler*
> Open Source Manager
> Threat Intelligence Team Lead
> Vulnerability Research Team
>
>
>
>  On Jul 7, 2014, at 6:43 AM, Charlie Egan <chas5873 at ...2420...> wrote:
>
>  Sorry to be a pain guys, could somebody get back to me regarding my last
> query?
>
> Cheers,
>
> Charlie
>
>
> On Thu, Jul 3, 2014 at 11:39 AM, Charlie Egan <chas5873 at ...2420...> wrote:
>
>>   No worries Nathan!
>>
>>  Joel, I'm curious to what the |13| means in the content section? I can't
>> figure it out when looking at the stream content image I uploaded above
>> from Wireshark.
>>
>>  Your rule looks a lot better than mine, with the extra depth which I've
>> just read up about, so thanks for that.
>>
>>  Out of curiousity though, would my initial rule have worked without
>> giving out any false positives?
>>
>> Cheers
>>
>>
>> On Wed, Jul 2, 2014 at 7:17 PM, lists at ...3397... <
>> lists at ...3397...> wrote:
>>
>>> On 07/02/2014 12:56 PM, Joel Esler (jesler) wrote:
>>> > I think Nathan may have missed the “BitTorrent protocol” part.
>>>
>>>  Without a doubt, I completely missed it.  I profusely apologize Charlie.
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140707/89c6d625/attachment.html>


More information about the Snort-sigs mailing list