[Snort-devel] Re: [Snort-users] Interpretation of "offset" in context of "uricontent" keyword

Jason security at ...1585...
Sat Jan 7 14:42:06 EST 2006


Why not try it on a request and see

alert tcp any any -> any 80 (msg:"offset 0 and uricontent test";
uricontent:"/s/ap"; offset:0; sid:1000000; rev:1; )

alert tcp any any -> any 80 (msg:"offset 20 and uricontent test";
uricontent:"/ap_on_go_pr_wh"; offset:20; sid:1000001; rev:1; )

alert tcp any any -> any 80 (msg:"offset 10 and uricontent test";
uricontent:"/ap_on_go_pr_wh"; offset:10; sid:1000002; rev:1; )

alert tcp any any -> any 80 (msg:"offset 25 and uricontent test";
uricontent:"/eavesdropping_ap_poll"; offset:25; sid:1000003; rev:1; )

then get

http://news.yahoo.com/s/ap/20060107/ap_on_go_pr_wh/eavesdropping_ap_poll

WARNING: spoiler at the bottom of the mail.

Intru Defender wrote:
> Hi All,
> I am reposting this question in the hope of getting some replies:
> 
> ======================================================================
> I need a little clarification about interpretation of "offset" modifier
> in conjuction with "uricontent" keyword.
> 
> Does Snort treats "offset" differently in case of "uricontent" keyword?
> 
> Does in case of "uricontent" keyword, snort treat "offset:0" from the
> start of URI, and, not from the start of the payload?
> 
> The snort manual says that the "offset" tells how many bytes to skip
> before starting looking for the specified "content" keyword and "offset"
> is calculated from the start of payload. For example:
> 
> content: ".html"; offset:4; would mean start looking for ".html" after 4
> bytes.
> 
> However, in case of "uricontent" keyword, will uricontent: ".html";
> offset:0; depth:5; would mean start looking for start of URI and in next
> 5 characters? Or it will mean, start looking for ".html" in first 5
> bytes of payload.
> 
> Any help will be highly appricated.
> 
> Thanks,
> 
> Intru Defender
> 
> 
> 
> <http://adworks.rediff.com/cgi-bin/AdWorks/sigclick.cgi/www.rediff.com/signature-home.htm/1507191490@...2846...?PARTNER=3>
> 

Nice to include remote images as a sigline served from anything with
"adworks" in the name. Cross posted to two security related mailing
lists at that. Most people generally frown upon that kind of behavior.

$ sudo src/snort -c etc/snort.conf -l /tmp -A console -k none -i eth0

$ wget
http://news.yahoo.com/s/ap/20060107/ap_on_go_pr_wh/eavesdropping_ap_poll


01/07-17:35:55.123525  [**] [1:1000003:1] offset 25 and uricontent test
[**] [Priority: 0] {TCP} 192.168.1.100:57827 -> 206.190.35.122:80
01/07-17:35:55.123525 0:11:24:8E:FE:F8 -> 0:F:66:1A:C7:A4 type:0x800
len:0xD9
192.168.1.100:57827 -> 206.190.35.122:80 TCP TTL:64 TOS:0x0 ID:36435
IpLen:20 DgmLen:203 DF
***AP*** Seq: 0xD335BFA1  Ack: 0x4E3DF63D  Win: 0xFFFF  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1075102899 57715046
47 45 54 20 2F 73 2F 61 70 2F 32 30 30 36 30 31  GET /s/ap/200601
30 37 2F 61 70 5F 6F 6E 5F 67 6F 5F 70 72 5F 77  07/ap_on_go_pr_w
68 2F 65 61 76 65 73 64 72 6F 70 70 69 6E 67 5F  h/eavesdropping_
61 70 5F 70 6F 6C 6C 20 48 54 54 50 2F 31 2E 30  ap_poll HTTP/1.0
0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 57 67  ..User-Agent: Wg
65 74 2F 31 2E 39 2E 31 0D 0A 48 6F 73 74 3A 20  et/1.9.1..Host:
6E 65 77 73 2E 79 61 68 6F 6F 2E 63 6F 6D 0D 0A  news.yahoo.com..
41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 43 6F 6E  Accept: */*..Con
6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C  nection: Keep-Al
69 76 65 0D 0A 0D 0A                             ive....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


01/07-17:35:55.123525  [**] [1:1000002:1] offset 10 and uricontent test
[**] [Priority: 0] {TCP} 192.168.1.100:57827 -> 206.190.35.122:80
01/07-17:35:55.123525 0:11:24:8E:FE:F8 -> 0:F:66:1A:C7:A4 type:0x800
len:0xD9
192.168.1.100:57827 -> 206.190.35.122:80 TCP TTL:64 TOS:0x0 ID:36435
IpLen:20 DgmLen:203 DF
***AP*** Seq: 0xD335BFA1  Ack: 0x4E3DF63D  Win: 0xFFFF  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1075102899 57715046
47 45 54 20 2F 73 2F 61 70 2F 32 30 30 36 30 31  GET /s/ap/200601
30 37 2F 61 70 5F 6F 6E 5F 67 6F 5F 70 72 5F 77  07/ap_on_go_pr_w
68 2F 65 61 76 65 73 64 72 6F 70 70 69 6E 67 5F  h/eavesdropping_
61 70 5F 70 6F 6C 6C 20 48 54 54 50 2F 31 2E 30  ap_poll HTTP/1.0
0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 57 67  ..User-Agent: Wg
65 74 2F 31 2E 39 2E 31 0D 0A 48 6F 73 74 3A 20  et/1.9.1..Host:
6E 65 77 73 2E 79 61 68 6F 6F 2E 63 6F 6D 0D 0A  news.yahoo.com..
41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 43 6F 6E  Accept: */*..Con
6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C  nection: Keep-Al
69 76 65 0D 0A 0D 0A                             ive....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


01/07-17:35:55.123525  [**] [1:1000000:1] offset 0 and uricontent test
[**] [Priority: 0] {TCP} 192.168.1.100:57827 -> 206.190.35.122:80
01/07-17:35:55.123525 0:11:24:8E:FE:F8 -> 0:F:66:1A:C7:A4 type:0x800
len:0xD9
192.168.1.100:57827 -> 206.190.35.122:80 TCP TTL:64 TOS:0x0 ID:36435
IpLen:20 DgmLen:203 DF
***AP*** Seq: 0xD335BFA1  Ack: 0x4E3DF63D  Win: 0xFFFF  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1075102899 57715046
47 45 54 20 2F 73 2F 61 70 2F 32 30 30 36 30 31  GET /s/ap/200601
30 37 2F 61 70 5F 6F 6E 5F 67 6F 5F 70 72 5F 77  07/ap_on_go_pr_w
68 2F 65 61 76 65 73 64 72 6F 70 70 69 6E 67 5F  h/eavesdropping_
61 70 5F 70 6F 6C 6C 20 48 54 54 50 2F 31 2E 30  ap_poll HTTP/1.0
0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 57 67  ..User-Agent: Wg
65 74 2F 31 2E 39 2E 31 0D 0A 48 6F 73 74 3A 20  et/1.9.1..Host:
6E 65 77 73 2E 79 61 68 6F 6F 2E 63 6F 6D 0D 0A  news.yahoo.com..
41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 43 6F 6E  Accept: */*..Con
6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C  nection: Keep-Al
69 76 65 0D 0A 0D 0A                             ive....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+





More information about the Snort-devel mailing list