Snort mailing list archives

Re: Detection of hex pattern given directly in a TCP header

From: Yury Markin <ustas () ispras ru>
Date: Thu, 12 Oct 2017 21:39:02 +0300

Rmkml, thank you for the answer!

I want to detect packets with certain values of TCP options, e.g.
packets with max segment size (1000) and window scale (0). It would be
great if you can advise how this scenario may be implemented.

Best wishes, Ustas.

Чт 12.10.2017 20:34, rmkml пишет:

Hi Ustas,

Yes you are right, is not possible to detect content on tcp header,

but could you describe more what you want to detect exactly on tcp
header please ?

Best Regards
@Rmkml

On Thu, 12 Oct 2017, Маркин Юрий Витальевич wrote:

Hello,

I'm trying to create the Snort rule for detection hex pattern given
directly (like "|0a 01 0f 03|") in a TCP header (or IP payload). As far
as I know 'content' keyword can not help me because it is used to search
hex pattern in a transport layer protocol payload, but not in the
payload of network layer protocol. I tried to use 'offset' keyword with
a negative value to "move" a cursor to the left of the TCP payload, but
this method has failed.

Is it possible for Snort to detect hex pattern in a TCP header?

Thanks in advance.


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make
sure to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Detection of hex pattern given directly in a TCP header Маркин Юрий Витальевич (Oct 12)
- Re: Detection of hex pattern given directly in a TCP header rmkml (Oct 12)
  - Re: Detection of hex pattern given directly in a TCP header Yury Markin (Oct 12)
    - Re: Detection of hex pattern given directly in a TCP header rmkml (Oct 12)
    - Re: Detection of hex pattern given directly in a TCP header Russ via Snort-sigs (Oct 12)
    - Re: Detection of hex pattern given directly in a TCP header ustas (Oct 12)
    - Re: Detection of hex pattern given directly in a TCP header Patrick Mullen (Oct 16)
    - Re: Detection of hex pattern given directly in a TCP header Russ via Snort-sigs (Oct 24)
    - Re: Detection of hex pattern given directly in a TCP header ustas (Oct 12)