[Snort-users] Hardcore -r question

Mark Evans Mark.Evans at ...2251...
Tue Jun 12 20:58:37 EDT 2001


note that 111 in binary is          01101111
and that 62319 in binary is 1111001101101111

so if you just look at the binary then they
both match on the 2nd byte - the one that [3:1]
looks at.

it would have matched a whole load of other
packets that ended 01101111 if you had received 
any.

as i understand it (ymmv)

cheers,

-- 
me


> From: Martin Roesch [mailto:roesch at ...1935...] 
> Subject: Re: [Snort-users] Hardcore -r question
> 
> 
> Try 'tcp[2:2] == 111', I bet that'll work.  BPF starts 
> counting at zero for headers, so tcp[0:2] covers the first 
> 16-bits of the tcp header,  tcp[2:2] covers the second 
> 16-bits (i.e. the destination port).
> 
> You could also just say 'dst port 111'.
> 
>     -Marty
> 
> John Sage wrote:
> > 
> > I'm playing with using the -r switch and tcpdump syntax on 
> a binary log file, and I'm having one heckuva time understanding why 
> this command line:
> > 
> > snort -dv -r snort-0609 at ...2233... 'tcp[3:1] == 111 '
> > 
> > returns what it does.
> > 
> > I expect it to return packets with destination port 111, 
> which it does,
> > but WTF? it returns five other packets with a value of 62319 as the
> > destination port, too.

[cut]




More information about the Snort-users mailing list