Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: byte_jump Up: byte_test Previous: byte_test   Contents

Format 

byte_test: <bytes to convert>, [!]<operator>, <value>, <offset>  \
    [,relative] [,<endian>] [,<number type>, string];

Option Description
bytes_to_convert Number of bytes to pick up from the packet
operator Operation to perform to test the value:
  • $<$ - less than
  • $>$ - greater than
  • = - equal
  • ! - not
  • & - bitwise AND
  • - bitwise OR
value Value to test the converted value against
offset Number of bytes into the payload to start processing
relative Use an offset relative to last pattern match
endian Endian type of the number being read:
  • big - Process data as big endian (default)
  • little - Process data as little endian
string Data is stored in string format in packet
number type Type of number being read:
  • hex - Converted string data is represented in hexadecimal
  • dec - Converted string data is represented in decimal
  • oct - Converted string data is represented in octal

Any of the operators can also include ! to check if the operator is not true. If ! is specified without an operator, then the operator is set to =.

Note:   Snort uses the C operators for each of these operators. If the & operator is used, then it would be the same as using if (data & value) { do_something();}

Figure: Byte Test Usage Example
\begin{figure}\begin{verbatim}alert udp $EXTERNAL_NET any -> $HOME_NET any \ ... ...deadbeef, 0, string, hex; \ msg: ''got DEADBEEF!'';)\end{verbatim} \end{figure}

next up previous contents
Next: byte_jump Up: byte_test Previous: byte_test   Contents
Steven Sturges 2006-12-08
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.