KFSensor

 

Edit Bytes Signature

Use the Edit Signature dialog box to add or change a bytes signature definition.

The other signature types are handled by the Edit Signature dialog box.

A bytes signature is used to match data in more complex ways than a string match.

The Signatures section of the KFSensor Concepts section of the manual describes how signatures are matched in more detail.

Fields

  • Value
    The number in decimal format that the data should be matched against
  • Value Type
    The type controls how the data should be converted before it is matched against the value
    Type Notes
    Big endian binary number The bytes are converted into a number from big endian format. This is the most common binary representation found in network protocols.
    Little endian binary number The bytes are converted into a number from little endian format. This is the most common binary representation found in Windows protocols.
    Decimal string The bytes are converted from a decimal text string into a number.
    Hex string The bytes are converted from a hex text string into a number.
    Octal string The bytes are converted from a octal text string into a number.
  • Operator
    A set of operators which control how the data and the value should be compared.
  • Bytes
    The number of bytes to be matched. For example 4 would be used for a 32 bit number.
  • Offset
    The byte offset into the data where the data should be matched.
  • Is Relative
    If selected then the offset is relative to the end of the last signatures match instead of from the start of the data.

Buttons

  • Validate
    This button checks whether the signature is valid.

Related Topics


KFSensor On-Line Manual Contents