[Snort-users] invalid use of byte_test on sid:16603

Will Metcalf william.metcalf at ...11827...
Thu Jun 24 12:21:35 EDT 2010


Unless something has changed I think the use of byte_test in sid:16603
is invalid as snort only parses the first char in ">=", actually
making the test byte_test:4,>,97612894,0,relative,little;. Also I have
the registered feed so if this is fixed already please disregard.

So I think you probably want to modify...

byte_test:4,>=,97612894,0,relative,little;

to be..

byte_test:4,>,97612893,0,relative,little;

Regards,

Will




More information about the Snort-users mailing list