[Snort-devel] [PATCH 1/5]: byte_test: support bitwise OR
Joshua.Kinard at ...3108...
Joshua.Kinard at ...3108...
Wed May 4 18:50:59 EDT 2011
Yeah, I was pondering for a bit whether bitwise OR was even necessary, but couldn't think of anything. Then thought, "well, we have AND and XOR, so why not OR?". I figured one of your guys might have already considered it by now. Thanks for the feedback!
The 'mask' idea simply extends byte_test's '&' operator to byte_jump and byte_extract. Kinda got the idea from the below VRT blog and found out its usefulness w/ the compression pointer in DNS:
Also, it looks like (maybe?) dcerpc2's implementation of byte_extract is incomplete. I know byte_jump and byte_extract share a lot of the same option fields, so maybe a lot of the code is merged and I just missed the bit that does one or the other. Has anyone looked at a better way to "override" rule options other than duplicating a lot of the code, as is the case w/ dcerpc2 and the three byte manipulation options? The parsing code at least appears to be much more robust in dcerpc2's implementations.
From: Ryan Jordan [mailto:ryan.jordan at ...402...]
Sent: Tuesday, May 03, 2011 3:23 PM
To: Kinard, Joshua A
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] [PATCH 1/5]: byte_test: support bitwise OR
I'm in the process of reviewing your patches now, but I figured I'd respond to this one early. I should be responding to your other emails by today or tomorrow.
The attached patch does work as advertised, but using a bitwise OR in a byte_test option doesn't actually detect anything. The byte_test option works by applying an operation, then checking for a non-zero result. In the case of bitwise OR, any non-zero "value" parameter will always cause the option to match regardless of packet data.
I nearly added this myself in Snort 2.8.5, until I sat and thought about actual use cases. :)
Good call on the error in the manual. We'll make sure that gets fixed.
On Fri, Apr 29, 2011 at 12:41 AM, <Joshua.Kinard at ...3108...> wrote:
> Hi snort-devel,
> The attached patch adds bitwise OR support for byte_test. Bitwise AND
> and bitwise XOR is already supported**, thus I figure bitwise OR can't
> hurt. I cannot yet think of a use for it, but I'm sure someone out
> there has pondered it.
> Note: The manual calls bitwise XOR "OR". This is fixed in a follow-on
> patch to the manual.
> Note: Please double check-this for accuracy. There appears to be a
> fair bit of duplicated code in Snort, so I hope I hit all the right places.
> A patch specific to dcerpc2 will follow for this feature and a few
> -------- WhatsUp Gold - Download Free Network Management Software The
> most intuitive, comprehensive, and cost-effective network management
> toolset available today. Delivers lowest initial acquisition cost and
> overall TCO of any competing solution.
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
More information about the Snort-devel