[Emerging-Sigs] Strange UDP Trojan check-in
nathan at packetmail.net
Tue Oct 4 18:21:38 EDT 2011
On 10/04/11 15:57, Joel Esler wrote:
> On Oct 4, 2011, at 4:48 PM, Nathan wrote:
>>> I sat down and finally got familiar with all of the byte_* operators,
>>> and I think this one will work the best (confirmed against pcap):
>> Awesome, I poured over the 2.9.0 manual and I just never saw where I could use
>> a byte_extract variable in byte_test; it only said value with an integer
>> between 0-4294967295. I was trying to figure out how to compare using the
>> byte_* operators and finally settled on a PCRE with a back reference.
Thanks Joel, I did see that, it just didn't register correctly with me. It's
not that it's not properly documented it's just that it didn't *click* with me.
In my testing I was pretty close with byte_extract and byte_test but not as well
done as Martin's work and got hung up at byte_test and the value from byte_extract.
+2 points for me for the crazy PCRE! -4 points for being dumb.
More information about the Emerging-sigs