[Snort-users] byte_jump question
mtrolley at ...14423...
Tue Sep 23 14:40:01 EDT 2008
I'm having trouble using byte_jump so am looking for some assistance. The packet in question has a 4 byte header, the last 2 bytes of which contain the length of the entire payload (including the header). The data I want to check is contained in the last 5 bytes of the payload. For example if the payload were:
00 00 00 34 ... 11 22 33 44 55
the length of the payload is 52 bytes, and bytes 48-52 contain the pattern I want to check for.
My first question is is this byte_jump correct to put the doe_ptr to the end of the payload:
This isn't working for me though. When I have this as part of my rule it doesn't get triggered. Using the same example as above I get a hit if I use this as my rule:
alert tcp any any -> any any (msg:"Message here"; content:"|00 00 00|"; offset:0; depth:3; sid:1000000; rev:1;) # works
but I don't get a hit if I add the byte_jump:
alert tcp any any -> any any (msg:"Message here"; content:"|00 00 00|"; offset:0; depth:3; byte_jump:2,2,from_beginning; sid:1000000; rev:1;) # does not work
What am I missing?
More information about the Snort-users