[Snort-users] snort rule byte_test operator problem

Paul Schmehl pauls at ...6838...
Tue May 15 13:41:20 EDT 2007


--On Tuesday, May 15, 2007 09:57:32 -0700 Jasmine Chua 
<babymagic_89 at ...131...> wrote:

> Dear Snort users,
>
> I have been trying to figure out the snort rule option
> "byte_test".
> http://www.snort.org/docs/snort_htmanuals/htmanual_261/node203.html
>
> For instance, we have
>
> byte_test:4,>,128,relative;
>
> that will grab 4 bytes which happens to be "00 00 0F
> FF"
>
> So, in this case, how do I manually calculate to check
> if the above 4 bytes are actually > 128 or not?
> Problem is I do not know what does the value 128
> represent? Is it in decimal?
>
> Sorry, if my question sounds stupid, I really can't
> help it.

I had a fifth grade math teacher who said, "The only stupid question is the 
one you do not ask."

128 is decimal, but the packet is in hex.  So you have to convert from hex 
to decimal.  Most computers have a scientific calculator that will do this 
for you easily.  Click on hex.  Type in the values in the packet.  Then 
click on decimal.

In this case, |00 00 0F FF| = 4095.  Well beyond the 128 boundary.

-- 
Paul Schmehl (pauls at ...6838...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 3701 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070515/538fcca9/attachment.bin>


More information about the Snort-users mailing list