[Snort-users] SSL worm sigs
mkettler at ...4108...
Mon Sep 16 13:58:04 EDT 2002
The "fences" in things like this: "|0d 0a|" are delimiters to indicate hex
byte values instead of litteral text. So that string matches a 2 character
sequence, consisting of a CR and a LF. Whereas "0d 0a" matches a 5 byte
sequence consisting of ascii zero, ascii d, ascii space.. etc.
At 03:53 PM 9/16/2002 -0400, Tim Bogart wrote:
>If you please; This will probably sound like a stupid question but ...
>Are the fences around the actual signature part of the signatue, or are they
>delimiters used by snort?
More information about the Snort-users