[Snort-sigs] Max. allowed bytes to extract

Alex McDonnell amcdonnell at ...435...
Tue Mar 29 16:05:25 EDT 2016


Hi YM,

a quick grep through the ruleset shows that those that byte_extract 10
bytes all use the "string" modifier. byte_extract of hex data is limited to
4 bytes.

On Tue, Mar 29, 2016 at 3:57 PM, Y M <snort at ...3751...> wrote:

> Hello all,
>
>
> While trying to use the byte_extract, I received an error message
> "byte_extract rule option cannot extract more than 4 bytes.". Looking at
> some existing signatures, some of the have 10 bytes to extract. I was not
> able to infer this from the documentation. Any idea what is the maximum
> allowed number of bytes to extract?
>
>
> Thanks.
>
> YM
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160329/dccb340b/attachment.html>


More information about the Snort-sigs mailing list