Snort mailing list archives

Previous By Date Next
Previous By Thread Next

libpcap filter expressions

From: Mark Wiater <mwiater () bayserve net>
Date: Tue, 16 Oct 2001 09:38:54 -0400
Hello all,

I've read the well written (thanks folks) documentation on rule writing for 
this great product (thanks folks). But can't find any mention of the ability 
to use libpcap syntax filter expressions.

There have been a couple of times that I've wanted a rule that would do 
things like evaluate a bit at a specific location. This time I want to see if 
a UDP DNS packet has the Truncated bit set, that would be at offset 13 in the 
data portion of a udp packet, second byte (I think).

my questions are: 
 did I miss something? Can snort do that?
 Is incorporation of this ability worth conideration?

thanks

Mark

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: