[Snort-sigs] byte_test and buffer cursor

Y M snort at ...3751...
Thu Feb 9 16:30:58 EST 2017


Does a byte_test move the cursor into a buffer the number of bytes it tests? Does is depend on the buffer against which the byte_test is operating?


In essence, I am trying to use byte_test to validate that the decimal value of X number of bytes fall within a decimal range. Something similar to:


http_raw_header; byte_test:3,>,160,0,relative; byte_test:3,<,170,0,relative;


If the first byte_test above moves the cursor 3 bytes into the buffer, how can I reset the cursor back to the beginning of the buffer of the last/relative content match (http_raw_header)? Or am I just doing it all wrong?


YM


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170209/3326b8fe/attachment.html>


More information about the Snort-sigs mailing list