[Snort-users] Comparison of extracted value between packets

Praveen D praveend.hac at ...11827...
Thu Dec 18 02:59:35 EST 2014


Hi Patrick,

Thank you for the info.

Packet1: 90 eb 09 05 41 *00 0c* 41 31 31 00
Packet2: 90 90 09 05 51 *00 10* 32 50 eb 22 00 0c

Both the packets are part of same stream (same src/dsp ip, src/dst port,
protocol)
Want to extract value 0x000c from packet1 and compare with 0x0010 in packet
2

Best Regards,
Praveen Darshanam

On Tue, Dec 16, 2014 at 8:34 PM, Patrick Mullen <pmullen at ...1935...>
wrote:
>
> > In a flow-bit based rule, is it possible to extract value from packet A
> and compare (byte_test) with a value in packet B.
>
> The short answer is "no."
>
> The medium answer is "well, it depends.  Are both packets coming from the
> same host and going to the same host and is the stream reassembled, thereby
> (potentially) putting the two values into the same reassembled packet?"
>
> The long answer is "with shared object rules, all things are possible."
>
> Sorry the answer is somewhat vague, but your question doesn't have enough
> information to give a complete answer.  I would potentially need a pcap and
> a clear description of what you're trying to do to give you a better answer.
>
>
> Thanks,
>
> ~Patrick
> --
> Patrick Mullen
> Response Research Manager
> Sourcefire VRT
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141218/d91e7fa6/attachment.html>


More information about the Snort-users mailing list