Snort mailing list archives
Re: Comparison of extracted value between packets
From: Praveen D <praveend.hac () gmail com>
Date: Thu, 18 Dec 2014 13:29:35 +0530
Hi Patrick, Thank you for the info. Packet1: 90 eb 09 05 41 *00 0c* 41 31 31 00 Packet2: 90 90 09 05 51 *00 10* 32 50 eb 22 00 0c Both the packets are part of same stream (same src/dsp ip, src/dst port, protocol) Want to extract value 0x000c from packet1 and compare with 0x0010 in packet 2 Best Regards, Praveen Darshanam On Tue, Dec 16, 2014 at 8:34 PM, Patrick Mullen <pmullen () sourcefire com> wrote:
In a flow-bit based rule, is it possible to extract value from packet Aand compare (byte_test) with a value in packet B. The short answer is "no." The medium answer is "well, it depends. Are both packets coming from the same host and going to the same host and is the stream reassembled, thereby (potentially) putting the two values into the same reassembled packet?" The long answer is "with shared object rules, all things are possible." Sorry the answer is somewhat vague, but your question doesn't have enough information to give a complete answer. I would potentially need a pcap and a clear description of what you're trying to do to give you a better answer. Thanks, ~Patrick -- Patrick Mullen Response Research Manager Sourcefire VRT
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Comparison of extracted value between packets Praveen D (Dec 03)
- Re: Comparison of extracted value between packets Praveen D (Dec 16)
- Re: Comparison of extracted value between packets Patrick Mullen (Dec 16)
- Re: Comparison of extracted value between packets James Lay (Dec 16)
- Re: Comparison of extracted value between packets Praveen D (Dec 18)
- Re: Comparison of extracted value between packets Patrick Mullen (Dec 16)
- Re: Comparison of extracted value between packets Praveen D (Dec 16)