[Snort-sigs] byte_test and buffer cursor
snort at ...3751...
Thu Feb 9 16:30:58 EST 2017
Does a byte_test move the cursor into a buffer the number of bytes it tests? Does is depend on the buffer against which the byte_test is operating?
In essence, I am trying to use byte_test to validate that the decimal value of X number of bytes fall within a decimal range. Something similar to:
http_raw_header; byte_test:3,>,160,0,relative; byte_test:3,<,170,0,relative;
If the first byte_test above moves the cursor 3 bytes into the buffer, how can I reset the cursor back to the beginning of the buffer of the last/relative content match (http_raw_header)? Or am I just doing it all wrong?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs