[Snort-devel] New feature wanted - aid when designing rules

Martin Olsson elof at ...969...
Wed May 14 11:08:06 EDT 2003


It would be nice if the byte_test-tag had an option "debug".

When this option is set, snort would dump the interesting data on stderr.
Interesting data is the current values, offsets and the payload data close
to the different pointers, in short, the surrounding environment.

Example of the rule:
msg:"testing"; content"AAAA"; byte_test: 1,>,65,0,relative,dec,debug;

Example of the packet payload:
...123456AAAAC123456789...

Example of the dump:
=[ sid: 12345 ] ========================================================
                                 .
  31 32 33 34 35 36 41 41  41 41 43 31 32 33 34 35 |123456AAAAC12345|
                                 ^
  Bytes read:  1
  Operator:    Greater than
  Given value: 65 (dec)
  Read value:  67 (dec) (0x43, 'C')
  Offset:     +4 bytes (relative)

========================================================================

...something like this... The '^' and '.' indicates the base- and
offset-pointers.


Possible? It would help a lot when designing rules for binary
protocols/exploits.

--
Martin Olsson
Sentor AB, Sweden





More information about the Snort-devel mailing list