[Snort-users] libpcap filter expressions

Mark Wiater mwiater at ...3065...
Tue Oct 16 06:42:30 EDT 2001


Hello all,

I've read the well written (thanks folks) documentation on rule writing for 
this great product (thanks folks). But can't find any mention of the ability 
to use libpcap syntax filter expressions.

There have been a couple of times that I've wanted a rule that would do 
things like evaluate a bit at a specific location. This time I want to see if 
a UDP DNS packet has the Truncated bit set, that would be at offset 13 in the 
data portion of a udp packet, second byte (I think).

my questions are: 
 did I miss something? Can snort do that?
 Is incorporation of this ability worth conideration?

thanks

Mark




More information about the Snort-users mailing list