[Emerging-Sigs] Strange UDP Trojan check-in

Nathan nathan at packetmail.net
Tue Oct 4 18:21:38 EDT 2011


On 10/04/11 15:57, Joel Esler wrote:
> On Oct 4, 2011, at 4:48 PM, Nathan wrote:
> 
>>> I sat down and finally got familiar with all of the byte_* operators,
>>> and I think this one will work the best (confirmed against pcap):
>>
>> Awesome, I poured over the 2.9.0 manual and I just never saw where I could use
>> a byte_extract variable in byte_test; it only said value with an integer
>> between 0-4294967295.  I was trying to figure out how to compare using the
>> byte_* operators and finally settled on a PCRE with a back reference.
> 
> 
> http://manual.snort.org/node30.html#SECTION004530200000000000000

Thanks Joel, I did see that, it just didn't register correctly with me.  It's
not that it's not properly documented it's just that it didn't *click* with me.

In my testing I was pretty close with byte_extract and byte_test but not as well
done as Martin's work and got hung up at byte_test and the value from byte_extract.

+2 points for me for the crazy PCRE!  -4 points for being dumb.

Thanks,
Nathan


More information about the Emerging-sigs mailing list