[Snort-users] libpcap filter expressions
mwiater at ...3065...
Tue Oct 16 06:42:30 EDT 2001
I've read the well written (thanks folks) documentation on rule writing for
this great product (thanks folks). But can't find any mention of the ability
to use libpcap syntax filter expressions.
There have been a couple of times that I've wanted a rule that would do
things like evaluate a bit at a specific location. This time I want to see if
a UDP DNS packet has the Truncated bit set, that would be at offset 13 in the
data portion of a udp packet, second byte (I think).
my questions are:
did I miss something? Can snort do that?
Is incorporation of this ability worth conideration?
More information about the Snort-users