[Snort-sigs] IPID field filtering

Geoffrey Serrao gserrao at ...435...
Thu Feb 25 10:22:00 EST 2016

Hey Fraser,

Are you using the id:<number>; rule option? Is it possible to convert the
ascii you want to match to it's decimal representation?

For instance,

ascii "AA" in the IPID field would be 0x4141 in hex and 16705 in decimal.

On Thu, Feb 25, 2016 at 7:56 AM, Mcintosh, Fraser <
40121324 at ...4136...> wrote:

> Good afternoon!
> I am a computer security student currently undertaking an Honours project
> on covert channels and steganography. I tried to use Snort to raise an
> alert if it finds ASCII characters in the IPID field of frames. However, I
> keep getting an error message saying that the value has to be a number when
> filtering the IPID field. After trying to find a reason as to why Snort
> doesn't allow this I found nothing. Therefore I would be very greatful if
> someone could offer an explanation as to why Snort does not support
> filtering against strings for the IPID field.
> Many thanks, Fraser McIntosh.
> This message and its attachment(s) are intended for the addressee(s) only
> and should not be read, copied, disclosed, forwarded or relied upon by any
> person other than the intended addressee(s) without the permission of the
> sender. If you are not the intended addressee you must not take any action
> based on this message and its attachment(s) nor must you copy or show them
> to anyone. Please respond to the sender and ensure that this message and
> its attachment(s) are deleted.
> It is your responsibility to ensure that this message and its
> attachment(s) are scanned for viruses or other defects. Edinburgh Napier
> University does not accept liability for any loss or damage which may
> result from this message or its attachment(s), or for errors or omissions
> arising after it was sent. Email is not a secure medium. Emails entering
> Edinburgh Napier University's system are subject to routine monitoring and
> filtering by Edinburgh Napier University.
> Edinburgh Napier University is a registered Scottish charity. Registration
> number SC018373
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160225/266f4c5e/attachment.html>

More information about the Snort-sigs mailing list