[Bro] Signature framework questions, endianess and bitwise operations
James Feister
openjaf at gmail.com
Wed Jul 23 12:29:59 PDT 2014
Had some questions about the signature framework for detecting an
application protocol.
Is it possible to manipulate bytes for endianness or will they always come
in little endian?
Is it possible to perform bitwise opperations on payload bytes so that you
may perform checks against subsets of bits within the byte?
For example I have to look at the first 4 bits of a bigendian defined
application layer protocol. For my test cases I can match signatures
against a known 8 bit little endian regex but not sure how to get to 4 bits
because the next 4 bits will change in an operational environment.
If not Im guessing I would have to pump all traffic through my binpac
analyzer and do the detection there?
Thanks,
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140723/b36caba6/attachment.html
More information about the Bro
mailing list