[Bro] Signature framework questions, endianess and bitwise operations
jsiwek at illinois.edu
Wed Jul 23 13:42:05 PDT 2014
On Jul 23, 2014, at 2:29 PM, James Feister <openjaf at gmail.com> wrote:
> Had some questions about the signature framework for detecting an application protocol.
> Is it possible to manipulate bytes for endianness or will they always come in little endian?
Byte order isn’t considered; payloads are a string of bytes and signatures may use a regex to match on that.
> Is it possible to perform bitwise opperations on payload bytes so that you may perform checks against subsets of bits within the byte?
> For example I have to look at the first 4 bits of a bigendian defined application layer protocol. For my test cases I can match signatures against a known 8 bit little endian regex but not sure how to get to 4 bits because the next 4 bits will change in an operational environment.
Can character classes express what you want?
More information about the Bro