Snort mailing list archives
Re: Hardcore -r question
From: John Sage <jsage () finchhaven com>
Date: Mon, 11 Jun 2001 20:11:04 -0700
Marty: That did it! Thanks!So [0:2] says start at byte 0 (the *first* byte), and examine two (which would be the width of the 16-bit source IP), and [2:2] says start at byte 2 (which is the *third* byte in and which is where the 16-bit dest port starts) and go for two...
[3] and [3:1] kinda worked I guess because they were *kinda* looking in the right place, (start at the third byte in and go for one..) but they got confused...
Martin Roesch wrote:
Try 'tcp[2:2] == 111', I bet that'll work. BPF starts counting at zero for headers, so tcp[0:2] covers the first 16-bits of the tcp header, tcp[2:2] covers the second 16-bits (i.e. the destination port). You could also just say 'dst port 111'.
Yeah.. but that takes all the fun out of it ;-) Thnx, - John
-Marty John Sage wrote:I'm playing with using the -r switch and tcpdump syntax on a binary log file, and I'm having one heckuva time understanding why this command line: snort -dv -r snort-0609 () 0724 log 'tcp[3:1] == 111 ' returns what it does. I expect it to return packets with destination port 111, which it does, but WTF? it returns five other packets with a value of 62319 as the destination port, too. This says, I think, go into the tcp header 3 bytes (first byte's zero,) and a one byte offset into that, and look at it -- and if it's "111" then true and show me the packet. It does exactly the same thing if I say: snort -dv -r snort-0609 () 0724 log 'tcp[3] == 111 ' (Of course, if I just chill out and say "snort -dv -r snort-0609 () 0724 log dst port 111" it works just fine...) Anyway, what am I missing? - John
<snipped to conserve bits in preparation for the upcoming bit shortage> _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Hardcore -r question John Sage (Jun 11)
- Re: Hardcore -r question Martin Roesch (Jun 11)
- Re: Hardcore -r question John Sage (Jun 11)
- <Possible follow-ups>
- RE: Hardcore -r question Mark Evans (Jun 12)
- Re: Hardcore -r question John Sage (Jun 12)
- Re: Hardcore -r question Martin Roesch (Jun 11)