[Emerging-Sigs] Strange UDP Trojan check-in

Joel Esler jesler at sourcefire.com
Tue Oct 4 16:57:45 EDT 2011


On Oct 4, 2011, at 4:48 PM, Nathan wrote:

>> I sat down and finally got familiar with all of the byte_* operators,
>> and I think this one will work the best (confirmed against pcap):
> 
> Awesome, I poured over the 2.9.0 manual and I just never saw where I could use
> a byte_extract variable in byte_test; it only said value with an integer
> between 0-4294967295.  I was trying to figure out how to compare using the
> byte_* operators and finally settled on a PCRE with a back reference.


http://manual.snort.org/node30.html#SECTION004530200000000000000




More information about the Emerging-sigs mailing list