[Bro] Signature framework questions, endianess and bitwise operations

James Feister openjaf at gmail.com
Thu Jul 24 08:50:18 PDT 2014

On Thu, Jul 24, 2014 at 11:16 AM, Siwek, Jon <jsiwek at illinois.edu> wrote:
> On Jul 24, 2014, at 8:49 AM, James Feister <openjaf at gmail.com> wrote:
>> I think so, but it would mean I could match the first 4 bits but would
then have to include all possible permutations for the next 4 bits with
each of those desired first 4.
>> Had hoped I could just generate a mask to grab the first four bits 0x0F,
and then match against those.
>Yeah, the result isn’t always concise and you may want to code/script
something to auto-generate character classes for a given mask/value, but
that’s a way that’s worked for some signatures I’ve done.

I will do that then.

As an alternative I wanted to look at every stream (tcp) and packet (udp)
then do the match in my analyzer code.  But site documentation only
references DPM.cc to perform this hooking which I can only find in the 2.1
code base not 2.2 or 2.3.  Which of the analyzers in the 2.3 release could
I use as a reference?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140724/8649625a/attachment.html 

More information about the Bro mailing list