[Bro] Signature framework questions, endianess and bitwise operations
James Feister
openjaf at gmail.com
Thu Jul 24 06:49:42 PDT 2014
On Wed, Jul 23, 2014 at 4:42 PM, Siwek, Jon <jsiwek at illinois.edu> wrote:
>
> > Is it possible to perform bitwise opperations on payload bytes so that
> you may perform checks against subsets of bits within the byte?
> >
> > For example I have to look at the first 4 bits of a bigendian defined
> application layer protocol. For my test cases I can match signatures
> against a known 8 bit little endian regex but not sure how to get to 4 bits
> because the next 4 bits will change in an operational environment.
>
> Can character classes express what you want?
>
I think so, but it would mean I could match the first 4 bits but would then
have to include all possible permutations for the next 4 bits with each of
those desired first 4.
Had hoped I could just generate a mask to grab the first four bits 0x0F,
and then match against those.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140724/af6908b8/attachment.html
More information about the Bro
mailing list