[Snort-users] SSL worm sigs

Matt Kettler mkettler at ...4108...
Mon Sep 16 13:58:04 EDT 2002


The "fences" in things like this: "|0d 0a|"  are delimiters to indicate hex 
byte values instead of litteral text. So that string matches a 2 character 
sequence, consisting of a CR and a LF. Whereas "0d 0a" matches a 5 byte 
sequence consisting of ascii zero, ascii d, ascii space.. etc.



At 03:53 PM 9/16/2002 -0400, Tim Bogart wrote:
>If you please;  This will probably sound like a stupid question but ...
>
>Are the fences around the actual signature part of the signatue, or are they
>delimiters used by snort?





More information about the Snort-users mailing list