[Snort-devel] RE: [snort-cvs] CVS: snort - chrisgreen

Chris Green cmg at ...402...
Tue Aug 13 09:49:08 EDT 2002


[ including snort-users since this is kinda neat. ]

"Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:

> I know I know... Changelog has it, sorry
>
>           rawbytes -- used to inspect the raw packet data instead of the
>           alternatively decode application packet buffer
>

Well, let just expound a little bit.  In telnet_decode, we're
normalizing an application buffer.  Back in the old days of snort ( or
until around 12:30am last night depending on if you are living on
earth ), snort normalized telnet data into the packet directly. 

A few months ago, I changed http_decode to normalize into a separate
data structure so we no longer had those ugly fake packets that looked
like

GET http://uri gobbledly gook

Lets fast forward a few cups of coffee later.... Zoom through the
magical time machine. <zoom!>

Now, I've added a DecodeBuffer that separates whatever types of
decoders into a specific spot ( although Http is still special.... )
and allows default content checks to check that buffer ( if it indeed
decoded something ).

Well, that presents a problem:  How do you keep people from by passing
a specific signature by using random bytes to change the packet if you
know what the raw bytes are supposed to look like?

Voila! rawbytes!

alert tcp any any -> any 23 (msg: "telnet nop!": \
                             content: "|FF F1|"; rawbytes;)

Look for 1.9.0beta3 coming soon to a website near you.
--
Chris Green <cmg at ...402...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod




More information about the Snort-devel mailing list