Snort - the de facto standard for intrusion detection/prevention
the de facto standard for IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: ftpbounce Up: byte_jump Previous: byte_jump   Contents

Format 

byte_jump: <bytes_to_convert>, <offset> \
        [,relative] [,multiplier <multiplier value>] [,big] [,little][,string]\
        [,hex] [,dec] [,oct] [,align] [,from_beginning];

Option Description
bytes_to_convert Number of bytes to pick up from the packet
offset Number of bytes into the payload to start processing
relative Use an offset relative to last pattern match
multiplier $<$value$>$ Multiply the number of calculated bytes by $<$value$>$ and skip forward that number of bytes.
big Process data as big endian (default)
little Process data as little endian
string Data is stored in string format in packet
hex Converted string data is represented in hexadecimal
dec Converted string data is represented in decimal
oct Converted string data is represented in octal
align Round the number of converted bytes up to the next 32-bit boundary
from_beginning Skip forward from the beginning of the packet payload instead of from the current position in the packet.

Figure: byte jump Usage Example
\begin{figure}\begin{verbatim}alert udp any any -> any 32770:34000 (content: '... ...ve; \ msg: ''statd format string buffer overflow'';)\end{verbatim} \end{figure}

next up previous contents
Next: ftpbounce Up: byte_jump Previous: byte_jump   Contents
Steven Sturges 2006-12-08
Terms of Use | Privacy Policy | forum archives | site feedback ©2009 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.