--On Tuesday, May 15, 2007 09:57:32 -0700 Jasmine Chua
<babymagic_89@yahoo.com> wrote:
Dear Snort users,
I have been trying to figure out the snort rule option
"byte_test".
http://www.snort.org/docs/snort_htmanuals/htmanual_261/node203.html
For instance, we have
byte_test:4,>,128,relative;
that will grab 4 bytes which happens to be "00 00 0F
FF"
So, in this case, how do I manually calculate to check
if the above 4 bytes are actually > 128 or not?
Problem is I do not know what does the value 128
represent? Is it in decimal?
Sorry, if my question sounds stupid, I really can't
help it.
I had a fifth grade math teacher who said, "The only stupid question is the
one you do not ask."
128 is decimal, but the packet is in hex. So you have to convert from hex
to decimal. Most computers have a scientific calculator that will do this
for you easily. Click on hex. Type in the values in the packet. Then
click on decimal.
In this case, |00 00 0F FF| = 4095. Well beyond the 128 boundary.
--
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
p7sjBdsM5uXy3.p7s
Description: S/MIME cryptographic signature
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
