Focus on IDS
Re: Intrusion Detection Evaluation Datasets Mar 19 2009 08:33PM
Joel Esler (eslerj gmail com) (1 replies)
Re: Intrusion Detection Evaluation Datasets Mar 20 2009 03:58AM
Ravi Chunduru (ravi is chunduru gmail com)
Hi,

I asked my colleagues and did some search myself. I am not sure
whether it is possible to convert from set of bytes to a integer value
and check that value within a range of arbitrary values using pcre
expression. Any ideas?

Thanks
Ravi

On Thu, Mar 19, 2009 at 1:33 PM, Joel Esler <eslerj (at) gmail (dot) com [email concealed]> wrote:
> On Mar 19, 2009, at 4:30 PM, Paul Schmehl wrote:
>
>> --On Thursday, March 19, 2009 14:33:29 -0400 Joel Esler <eslerj (at) gmail (dot) com [email concealed]>
>> wrote:
>>
>>> Would this be an appropriate use for byte_test or byte_jump?
>>>
>>
>> That's what I was referring to when I mentioned applications.  The problem
>> with http traffic is that it's much more freeform and doesn't lend itself to
>> byte_test and byte_jump type tests.
>
>
> I'd probably use a combination of isdataat and pcre for this.  As Marty
> said, 99.9999% of things can be found with plaintext Snort rules.  Anything
> else, you can use an .so rule for.
>
> --
> Joel Esler T: 302-223-5974 (-) Gtalk: jesler (at) sourcefire (dot) com [email concealed]
> [m]
>
>
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus