[Snort-sigs] Max. allowed bytes to extract

Y M snort at ...3751...
Tue Mar 29 16:09:13 EDT 2016

Haa, I did not know that. Thanks Alex, this is helpful.


From: Alex McDonnell <amcdonnell at ...435...>
Sent: Tuesday, March 29, 2016 8:05 PM
To: Y M
Cc: snort-sigs
Subject: Re: [Snort-sigs] Max. allowed bytes to extract

Hi YM,

a quick grep through the ruleset shows that those that byte_extract 10 bytes all use the "string" modifier. byte_extract of hex data is limited to 4 bytes.

On Tue, Mar 29, 2016 at 3:57 PM, Y M <snort at ...3751...<mailto:snort at ...3886......>> wrote:

Hello all,

While trying to use the byte_extract, I received an error message "byte_extract rule option cannot extract more than 4 bytes.". Looking at some existing signatures, some of the have 10 bytes to extract. I was not able to infer this from the documentation. Any idea what is the maximum allowed number of bytes to extract?



Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>

Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160329/b4d883e3/attachment.html>

More information about the Snort-sigs mailing list