[Snort-devel] ACK. Re: [Snort-users] version.bind (part of the problem) (fwd)

Martin Roesch roesch at ...48...
Fri Feb 9 02:50:20 EST 2001


Depth is calculated *from the offset*, so in the case of the below rule
the content match starts at byte 12 and with the depth of 18 stops at
byte 30.  Looks like it's in range, can't really say for the other stuff
right now.  Maybe I'll get a chance to test it this weekend...

    -Marty


Max Vision wrote:
> 
> Ok I am stumped.  The depth:18; tag shouldn't even work!  The version.bind
> string goes about 25 bytes into the packet...
> 
> Something is definately broken.  Additionally, I may be confused about the
> nature of depth (I thought depth 18 would only consiuder bytes 0-18), but
> even if I'm confused, something is still broken as depth:26; isn't working
> for some people.
> 
> help?
> 
> ---------- Forwarded message ----------
> Date: Thu, 8 Feb 2001 03:45:18 -0800
> From: Aaron <lilnick at ...265...>
> To: Max Vision <vision at ...195...>
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] version.bind (part of the problem)
> 
> Here it is:
> 
> Query:
> (~)$ dig @XXX.XXX.XXX.10 version.bind chaos txt
> 
> ; <<>> DiG 8.3 <<>> @XXX.XXX.XXX.10 version.bind chaos txt
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;;      version.bind, type = TXT, class = CHAOS
> 
> ;; ANSWER SECTION:
> VERSION.BIND.           0S CHAOS TXT    "4.9.8-REL"
> 
> ;; Total query time: 90 msec
> ;; FROM: cobalt.nepenthes.org to SERVER: XXX.XXX.XXX.10
> ;; WHEN: Thu Feb  8 03:36:27 2001
> ;; MSG SIZE  sent: 30  rcvd: 64
> 
> [root at ...266... conf]# snort -i eth1 -dv port 53 and host YYY.YYY.YYY.240
> and host XXX.XXX.XXX.10
> 
>         --== Initializing Snort ==--
> 
> Initializing Network Interface eth1
> WARNING: OpenPcap() device eth1 network lookup:
>         eth1: no IPv4 address assigned
> Decoding Ethernet on interface eth1
> 
>         --== Initialization Complete ==--
> 
> -*> Snort! <*-
> Version 1.7
> By Martin Roesch (roesch at ...16..., www.snort.org)
> 02/08-14:38:48.170911 YYY.YYY.YYY.240:55579 -> XXX.XXX.XXX.10:53
> UDP TTL:50 TOS:0x0 ID:59253 IpLen:20 DgmLen:58
> Len: 38
> 00 06 01 00 00 01 00 00 00 00 00 00 07 76 65 72  .............ver
> 73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03        sion.bind.....
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 02/08-14:38:48.171916 XXX.XXX.XXX.10:53 -> YYY.YYY.YYY.240:55579
> UDP TTL:254 TOS:0x0 ID:47428 IpLen:20 DgmLen:92 DF
> Len: 72
> 00 06 85 80 00 01 00 01 00 00 00 00 07 76 65 72  .............ver
> 73 69 6F 6E 04 62 69 6E 64 00 00 10 00 03 07 56  sion.bind......V
> 45 52 53 49 4F 4E 04 42 49 4E 44 00 00 10 00 03  ERSION.BIND.....
> 00 00 00 00 00 0A 09 34 2E 39 2E 38 2D 52 45 4C  .......4.9.8-REL
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> Nothing was logged using the following rule in snort config:
> 
> alert UDP $EXTERNAL any -> $INTERNAL 53 (msg:
> "IDS278/named-probe-version"; content: "|07|version|04|bind"; depth: 26;
> offset: 12; nocase;)
> 
> However, enabling this rule, allowed logging of this query:
> 
> alert udp $EXTERNAL any -> $INTERNAL 53 (msg: "IDS278 - SCAN -named
> Version probe"; content: "|07|version|04|bind|00 0010 0003|"; nocase;
> offset: 12; depth: 18;)
> 
> Let me know if you need more info
> 
> Thanks,
> Aaron
> 
> On 02/08/01 at 15:10 Max Vision wrote:
> >If the query comes through, but the rule doesn't trigger, then please let
> >us know and post the packet trace :)
> >
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list