Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: byte_test question

From: Joel Esler <jesler () sourcefire com>
Date: Fri, 24 Aug 2012 14:18:10 -0400
You'd probably have to write a shared object rule then.  

--
Joel Esler

On Aug 24, 2012, at 1:43 PM, "harry.tuttle" <harry.tuttle () zoho com> wrote:


But I don't want to see if byte A matches byte B. I want to see if byte A differs from byte B by |n|.


---- On Fri, 24 Aug 2012 09:28:08 -0700 Joel Esler  wrote ---- 


byte_extract. 

If I am reading what you are saying correctly. Extract one byte then to a byte_test to see if the second byte 
matches the first. 


On Aug 24, 2012, at 11:58 AM, "harry.tuttle"  wrote: 


I'm pretty sure there is no way to do this; someone please clue me in if I am missing something. 

I'd like to be able to test if two bytes differ by a certain amount. One or the other could be larger; the values 
of the bytes will vary, but they will always differ by the same amount. 

Thanks, 
Harry 


------------------------------------------------------------------------------ 
Live Security Virtual Conference 
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ 
_______________________________________________ 
Snort-users mailing list 
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users 

Please visit http://blog.snort.org to stay current on all the latest Snort news!




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: