[Snort-devel] (no subject)

Steven Sturges steve.sturges at ...402...
Tue Dec 26 13:43:35 EST 2006


Hi Peter--

Answers below... Hope this helps.

Cheers.
-steve

Peter Schmitz wrote:
> HI, 
> 
> I'm currently struggeling through snort code and rules to fully
> understand the system. When I came across the keyword byte_jump,
> I - unfortunately - didn't understand something:
> 
> In the latest snort documentation it says, that byte_jump would
> set a doe_ptr to another destination (depending on the rule).
> Now, what does this pointer really point to? Is this a position
> in the payload? Does that mean, that if I jump some bytes all
> later checking for content keywords will take place after the
> destination doe_ptr now (after executing byte_jump) points to?
> 
> If I - for example - would begin a rule like this: 
> 
> byte_jump:4,36,align; 
> content:"|00 00 00 01|"; offset:16; depth:4; 
> 
> First, I'd jump some bytes (depending on the packet real payload)
> - then I'd search for some specific content. If this content could
> be found in the bytes I just skipped by byte_jump - will this
> content be found?

The interpretation of this is jump some bytes (depending on payload),
then look for '00 00 00 01' 16  bytes from the result of the jump and
only search the next 4 bytes.  So, this will only trigger if the
content is found starting 16 bytes from where the byte jump 'landed'
(the resulting doe_ptr).

Think of the doe_ptr as a pointer to a place in the payload at the
conclusion of each operation (be it byte jump, byte test, pcre, content,
etc).

> Another thing are the several pointers:
> 
> What do base_ptr, doe_ptr, start_ptr, end_ptr really point to?

Not looking at the code at the moment, but base_ptr is the start of
the payload (usually).  start_ptr is a pointer to the beginning of
the search space (after 'relative', 'offset', are taken into account.
end_ptr is the end of the payload -- to prevent reading beyond the
payload.

> By the way, there are several keywords for the byte_jump keyword
> itself, esp. from_beginning and relative...isn't this superficial?
> Isn't relative == !from_beginning ?

Good question... 'relative' means read the bytes to jump relative to the
end of the last operation -- ie, use the doe_ptr to find how much to
jump.  Then, jump from the end of those bytes.  DNS record parsing is a
good example, where you'd want to skip the length of a given record.

'from_beginning' means jump from the start of payload.  The bytes that
are read can still be relative to a earlier operation, but they are
really an offset from the beginning of the payload, not from the
current location -- this happens with DCE/RPC quite a bit.

So, you could have both 'relative' and 'from_beginning' as options to
the same byte_jump.

> I know that some of my questions seem (and probably are) trivial, 
> but I really want to understand and if someone could help me out
> I'd be really grateful :)
> 
> Thanks for any help on this matter, 
> 
> Peter 
> 





More information about the Snort-devel mailing list