[Snort-users] FW: Snort rule for a pattern match?

Shields, Joseph (NIH/NIEHS) [C] joseph.shields at ...7983...
Thu Mar 7 15:19:59 EST 2013


I am looking for a pattern that identifies a threat I am tracking and need to write a signature to find it.  The problem is that I don't know what the starting character will be but I will always know what the difference between two given characters will be.

A simple, human readable, example is:

ABCDTSRQ

The difference between each character is:

[A] is 1 SMALLER than [B] is 1 SMALLER than [C] is 1 SMALLER than [D] is 16 SMALLER than [T] is 1 BIGGER than [S] is 1 BIGGER than [R] is 1 BIGGER than [Q]

The pattern in this example is -1,-1,-1,-16,+1,+1,+1.

BCDEXWVU would match this pattern and so would HIJKZXYW.

How can I write this rule?

Brian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130307/fb30ac8b/attachment.html>


More information about the Snort-users mailing list