Re: Detection of hex pattern given directly in a TCP header

[rmkml <rmkml () ligfy org>]

Hi Ustas,

Yes you are right, is not possible to detect content on tcp header,

but could you describe more what you want to detect exactly on tcp header please ?

Best Regards
@Rmkml

On Thu, 12 Oct 2017, Маркин Юрий Витальевич wrote:

> Hello,
>
> I'm trying to create the Snort rule for detection hex pattern given
> directly (like "|0a 01 0f 03|") in a TCP header (or IP payload). As far
> as I know 'content' keyword can not help me because it is used to search
> hex pattern in a transport layer protocol payload, but not in the
> payload of network layer protocol. I tried to use 'offset' keyword with
> a negative value to "move" a cursor to the left of the TCP payload, but
> this method has failed.
>
> Is it possible for Snort to detect hex pattern in a TCP header?
>
> Thanks in advance.
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" 
> https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" 
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!