ArgusEncode32() accepts little endian?
Carter Bullard
carter at qosient.com
Mon Jul 15 19:18:25 EDT 2013
The ArgusEncode32() printer works on a character basis, so there
isn't any notion of big endian or little endian.
The "n=" is how many samples were used to generate the signature.
We rank them by "n", as a weight for the probability of encountering
that particular pattern.
Carter
On Jul 15, 2013, at 1:15 PM, Matt Brown <matthewbrown at gmail.com> wrote:
> Carter,
>
> Hope all is well. Last Thursday I started to look into reversing the
> nDPI classes and creating an raservices() conf file from the byte
> pattern classification definitions therein.
>
> I struggled to understand the c notation, etc, but have arrived on the
> question of whether or not ArgusEncode32() takes a little endian data
> value as input and "outputs" this data expressed as a string made up
> of its value in hex.
>
> For instance, if I take a value from afp.c (within nDPI) and see
> htons(0x0004), I can assume that when converted with ArgusEncode32(),
> the "output" will be "00000004".
>
> Out of this, I can then generate the "src=" or "dst=" portions of a
> line for an raservices() conf file.
>
> Is this correct?
>
> Additionally, as for the syntax of the raservices() conf file, what
> does the "n=" value mean?
>
>
> Thanks,
>
> Matt
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130715/4cdd4aa3/attachment.bin>
More information about the argus
mailing list