Hi, I asked my colleagues and did some search myself. I am not sure whether it is possible to convert from set of bytes to a integer value and check that value within a range of arbitrary values using pcre expression. Any ideas?
Thanks Ravi On Thu, Mar 19, 2009 at 1:33 PM, Joel Esler <[email protected]> wrote: > On Mar 19, 2009, at 4:30 PM, Paul Schmehl wrote: > >> --On Thursday, March 19, 2009 14:33:29 -0400 Joel Esler <[email protected]> >> wrote: >> >>> Would this be an appropriate use for byte_test or byte_jump? >>> >> >> That's what I was referring to when I mentioned applications. The problem >> with http traffic is that it's much more freeform and doesn't lend itself to >> byte_test and byte_jump type tests. > > > I'd probably use a combination of isdataat and pcre for this. As Marty > said, 99.9999% of things can be found with plaintext Snort rules. Anything > else, you can use an .so rule for. > > -- > Joel Esler T: 302-223-5974 (-) Gtalk: [email protected] > [m] > > > >
