[Snort-sigs] IPID field filtering

Mcintosh, Fraser 40121324 at ...4136...
Thu Feb 25 07:56:11 EST 2016

Good afternoon!

I am a computer security student currently undertaking an Honours project on covert channels and steganography. I tried to use Snort to raise an alert if it finds ASCII characters in the IPID field of frames. However, I keep getting an error message saying that the value has to be a number when filtering the IPID field. After trying to find a reason as to why Snort doesn't allow this I found nothing. Therefore I would be very greatful if someone could offer an explanation as to why Snort does not support filtering against strings for the IPID field.

Many thanks, Fraser McIntosh.

This message and its attachment(s) are intended for the addressee(s) only and should not be read, copied, disclosed, forwarded or relied upon by any person other than the intended addressee(s) without the permission of the sender. If you are not the intended addressee you must not take any action based on this message and its attachment(s) nor must you copy or show them to anyone. Please respond to the sender and ensure that this message and its attachment(s) are deleted.

It is your responsibility to ensure that this message and its attachment(s) are scanned for viruses or other defects. Edinburgh Napier University does not accept liability for any loss or damage which may result from this message or its attachment(s), or for errors or omissions arising after it was sent. Email is not a secure medium. Emails entering Edinburgh Napier University's system are subject to routine monitoring and filtering by Edinburgh Napier University.

Edinburgh Napier University is a registered Scottish charity. Registration number SC018373

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160225/cd71bdde/attachment.html>

More information about the Snort-sigs mailing list