[Snort-users] byte_jump

Brian Caswell bmc at ...950...
Sun Feb 20 14:53:43 EST 2005


On Feb 20, 2005, at 12:30 PM, mosquitooth at ...158... wrote:
> I'm not quite sure about the use of the multiplier statement, so would 
> this
> be correct?
>
> byte_jump: 2,4,big,multiplier 34;
>
> Is the string 'multiplier' necessary? I've not found any rule deployed 
> with
> snort that does use this multiplier...


Here is what your byte_jump would do;

starting 4 bytes into the packet, read 2 bytes and treat it as a big 
endian integer.  Multiply the result by 34, and jump that many bytes 
forwards from the end of the data we just read.

So if your packet in hex was:

00 00 00 00 00 01 00 11 22 33 44 55 66 77 88 99 00 11 22 33 44 55 66 77 
88 99 00 11 22 33 44 55 66 77 88 99 00 11 22 33 FF

Then the doe_ptr would be at the start of FF.

Brian





More information about the Snort-users mailing list