[Snort-users] Comparison of extracted value between packets

James Lay jlay at ...13475...
Tue Dec 16 10:24:51 EST 2014


On 2014-12-16 08:04 AM, Patrick Mullen wrote: 

>> In a flow-bit
based rule, is it possible to extract value from packet A and compare
(byte_test) with a value in packet B. 
> The short answer is "no." 
The medium answer is "well, it depends. Are both packets coming from the
same host and going to the same host and is the stream reassembled,
thereby (potentially) putting the two values into the same reassembled
> The long answer is "with shared object rules, all things
are possible." 
> Sorry the answer is somewhat vague, but your question
doesn't have enough information to give a complete answer. I would
potentially need a pcap and a clear description of what you're trying to
do to give you a better answer. 
> Thanks, 
> ~Patrick 
> -- 
Patrick Mullen
> Response Research Manager
> Sourcefire

LOL....Patrick that is an AWESOME answer :) 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141216/782ed133/attachment.html>

More information about the Snort-users mailing list