[Snort-devel] Length encoded protocol / LDAP and BER

FOULDE Damien damien.foulde at ...3682...
Wed Jan 25 13:38:28 EST 2017


Hello,

 

I’m faced to an issue to dissect a length encoded protocol, LDAP in my case
which uses BER.

I’m blocked because the value extracted through “byte_extract” can only be
supplied to the “offset” argument of the “byte_jump” rule keyword and not to
the “bytes_to_convert” argument.

 

Let me take an example, I have the bytes below and I need to check the 0x80
byte :

82 00 05 12 24 56 78 12 80

0x82 = 10000010

The MSB is set to 1, so the value of the 7 other bits is not the length of
the data but the number of bytes used to describe the length of the data, in
this example, the number of bytes to describe the length of the data is
0000010 = 2

We can get this value through “byte_extract:1,0,var_length,relative,bitmask
0x7f;”.

Then we would need to get the “00 05” = 5 value, to jump over the 5
following bytes : “12 24 56 78 12” and finally be able to test the 0x80
content we need to check.

This could be achieved through “byte_jump:var_length,0,relative;” if the
“byte_jump” rule keyword would accept an extracted value for the
“bytes_to_convert” argument, unfortunately this is not the case.

Did I missed a snort feature which could achieve this ?

Do you know if there is already a feature request for something like this ?

 

Thank you & regards,

 

Damien

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20170125/11ba4249/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5355 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20170125/11ba4249/attachment.bin>


More information about the Snort-devel mailing list