[Snort-users] FW: Snort rule for a pattern match?
Shields, Joseph (NIH/NIEHS) [C]
joseph.shields at ...7983...
Thu Mar 7 15:19:59 EST 2013
I am looking for a pattern that identifies a threat I am tracking and need to write a signature to find it. The problem is that I don't know what the starting character will be but I will always know what the difference between two given characters will be.
A simple, human readable, example is:
The difference between each character is:
[A] is 1 SMALLER than [B] is 1 SMALLER than [C] is 1 SMALLER than [D] is 16 SMALLER than [T] is 1 BIGGER than [S] is 1 BIGGER than [R] is 1 BIGGER than [Q]
The pattern in this example is -1,-1,-1,-16,+1,+1,+1.
BCDEXWVU would match this pattern and so would HIJKZXYW.
How can I write this rule?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users