[Snort-devel] Bit Check Plug-In

Coochey, Giles g.coochey at ...482...
Sun Mar 24 06:36:07 EST 2002


I am attaching the Bit Check Plugin as a patch for snort-daily.

I'll also shortly be adding it to http://gc-spider.homeip.net

It essentially takes three arguments:

bit:x,y,z;

x is a byte location or offset below the TCP or UDP header of the packet.
y is a AND value
z is the required result

So for instance if I want to see if a Samba packet is using unicode I could
do something like:

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml";
bit:11,128,128;
content:"|00|E|00|M|00|L"; flags:A+; classtype:bad-unknown;
reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1293; rev:2;)

Similarly if it isn't using unicode then I would add another rule like so:

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml";
bit:11,128,0;
content:"EML"; flags:A+; classtype:bad-unknown;
reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1293; rev:2;)

I hope others can assist in testing this.

If you feel this could be useful for others, then you may perhaps consider
including this feature in a future release.

Thanks

Giles Coochey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort-daily-bit-check.gz
Type: application/x-gzip
Size: 2620 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020324/2cc514de/attachment.bin>


More information about the Snort-devel mailing list