[Bro] Signature framework questions, endianess and bitwise operations

Siwek, Jon jsiwek at illinois.edu
Wed Jul 23 13:42:05 PDT 2014

On Jul 23, 2014, at 2:29 PM, James Feister <openjaf at gmail.com> wrote:

> Had some questions about the signature framework for detecting an application protocol. 
> Is it possible to manipulate bytes for endianness or will they always come in little endian?

Byte order isn’t considered; payloads are a string of bytes and signatures may use a regex to match on that.

> Is it possible to perform bitwise opperations on payload bytes so that you may perform checks against subsets of bits within the byte?  
> For example I have to look at the first 4 bits of a bigendian defined application layer protocol.  For my test cases I can match signatures against a known 8 bit little endian regex but not sure how to get to 4 bits because the next 4 bits will change in an operational environment.

Can character classes express what you want?

- Jon

More information about the Bro mailing list