From: Joel Esler (eslerjgmail.com)
Date: Thu Mar 19 2009 - 15:33:41 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mar 19, 2009, at 4:30 PM, Paul Schmehl wrote:

> --On Thursday, March 19, 2009 14:33:29 -0400 Joel Esler <eslerjgmail.com
> > wrote:
>
>> Would this be an appropriate use for byte_test or byte_jump?
>>
>
> That's what I was referring to when I mentioned applications. The
> problem with http traffic is that it's much more freeform and
> doesn't lend itself to byte_test and byte_jump type tests.

I'd probably use a combination of isdataat and pcre for this. As
Marty said, 99.9999% of things can be found with plaintext Snort
rules. Anything else, you can use an .so rule for.

--
Joel Esler T: 302-223-5974 (-) Gtalk: jeslersourcefire.com
[m]

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]