[Snort-devel] Plug-In

Coochey, Giles g.coochey at ...482...
Sun Mar 17 09:53:05 EST 2002


Hi,

I consider myself pretty much a programming novice, but have come up with
this detection-plugin which I believe I'm going to find useful in some of my
rules.

It essentially takes three arguments:

bit:x,y,z;

x is a byte location below the header of the packet.
y is a AND value
z is the required result

So for instance if I want to see if a Samba packet is using unicode I could
do something like:

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml";
bit:11,128,128;
content:"|00|E|00|M|00|L"; flags:A+; classtype:bad-unknown;
reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1293; rev:2;)

Similarly if it isn't using unicode then I would add another rule like so:

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml";
bit:11,128,0;
content:"EML"; flags:A+; classtype:bad-unknown;
reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1293; rev:2;)


I'd appreciate it if someone could look at the code and let me know if it is
correct, and send any optimizations or corrections back to me.

If you feel this could be useful for others, then you may perhaps consider
including this feature in a future release.

Thanks

Giles Coochey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort-bitcheck-patch.gz
Type: application/x-gzip
Size: 2608 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020317/cf6e03fb/attachment.bin>


More information about the Snort-devel mailing list