[Snort-users] byte_test only on reassembled stream?
duane.security at ...11827...
Fri Dec 11 14:04:25 EST 2015
I currently have a rule that looks for something like:
I have a payload that is a UDP fragment that is tripping this up where the
bytes in the inspected position are 0x87 but on the fully reassembled
stream (and what Snort logs in the pseudopacket) is 0x84.
I'm really only interested in the value from the reassembled part of this,
and not the bits in the data section of the initial fragment, is this
working as intended? Is there a way to accomplish what I want (only match
on the pseudo packet/reassembled byte stream?).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users