[Snort-sigs] Max. allowed bytes to extract

Y M snort at ...3751...
Tue Mar 29 16:09:13 EDT 2016


Haa, I did not know that. Thanks Alex, this is helpful.


YM

________________________________
From: Alex McDonnell <amcdonnell at ...435...>
Sent: Tuesday, March 29, 2016 8:05 PM
To: Y M
Cc: snort-sigs
Subject: Re: [Snort-sigs] Max. allowed bytes to extract

Hi YM,

a quick grep through the ruleset shows that those that byte_extract 10 bytes all use the "string" modifier. byte_extract of hex data is limited to 4 bytes.

On Tue, Mar 29, 2016 at 3:57 PM, Y M <snort at ...3751...<mailto:snort at ...3886......>> wrote:

Hello all,


While trying to use the byte_extract, I received an error message "byte_extract rule option cannot extract more than 4 bytes.". Looking at some existing signatures, some of the have 10 bytes to extract. I was not able to infer this from the documentation. Any idea what is the maximum allowed number of bytes to extract?


Thanks.

YM

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160329/b4d883e3/attachment.html>


More information about the Snort-sigs mailing list