[Snort-devel] RE: [snort-cvs] CVS: snort - chrisgreen
cmg at ...402...
Tue Aug 13 09:49:08 EDT 2002
[ including snort-users since this is kinda neat. ]
"Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:
> I know I know... Changelog has it, sorry
> rawbytes -- used to inspect the raw packet data instead of the
> alternatively decode application packet buffer
Well, let just expound a little bit. In telnet_decode, we're
normalizing an application buffer. Back in the old days of snort ( or
until around 12:30am last night depending on if you are living on
earth ), snort normalized telnet data into the packet directly.
A few months ago, I changed http_decode to normalize into a separate
data structure so we no longer had those ugly fake packets that looked
GET http://uri gobbledly gook
Lets fast forward a few cups of coffee later.... Zoom through the
magical time machine. <zoom!>
Now, I've added a DecodeBuffer that separates whatever types of
decoders into a specific spot ( although Http is still special.... )
and allows default content checks to check that buffer ( if it indeed
decoded something ).
Well, that presents a problem: How do you keep people from by passing
a specific signature by using random bytes to change the packet if you
know what the raw bytes are supposed to look like?
alert tcp any any -> any 23 (msg: "telnet nop!": \
content: "|FF F1|"; rawbytes;)
Look for 1.9.0beta3 coming soon to a website near you.
Chris Green <cmg at ...402...>
"Not everyone holds these truths to be self-evident, so we've worked
up a proof of them as Appendix A." -- Paul Prescod
More information about the Snort-devel