[Snort-users] byte_test/byte_jump negative offsets

Praveen D praveend.hac at ...11827...
Tue Dec 23 00:14:30 EST 2014


Thank you Nick Randolph and Alex Tatistcheff for your help.

Best Regards,
Praveen Darshanam

On Tue, Dec 23, 2014 at 12:20 AM, Nick Randolph <drandolph at ...1935...>
wrote:

> You want -8. The cursor is at the end of the content match. -4 only moves
> the cursor to the beginning of "tEXt".
>
> On Thu, Dec 18, 2014 at 3:11 AM, Praveen D <praveend.hac at ...11827...> wrote:
>
>> Hi,
>>
>> Below is the data which I am trying to detect
>> 1c 0c 00 00 *74 45 58 74* 41 41 41 41 41 41 41 41   ....*tEXt*AAAAAAAA
>>
>> content:"tEXt"; byte_test:4,>,0x3000,*-4*,relative;
>> Extract 0x1c0c0000 and compare with 0x3000
>>
>> After matching tEXt, where does the pointer pointed to? Should I use
>> offset:-4 or offset:-8?
>>
>> Best Regards,
>> Praveen Darshanam
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
> --
>
> Nick Randolph
> Research Engineer
> Sourcefire, Inc.
> nrandolph at ...1935...
> Sourcefire.com <http://www.sourcefire.com/>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141223/34ab3479/attachment.html>


More information about the Snort-users mailing list