[Snort-sigs] within syntax questions

Brian bmc at ...95...
Fri Dec 12 06:42:03 EST 2003


On Fri, Dec 12, 2003 at 03:07:23PM +0100, David Wilburn wrote:
> I want to write a signature that will fire off an alarm when the
> following situation occurs:
> 
> string A is detected within X bytes before string B, and string C is
> detected within Y bytes after string B.

Ok, first things first, your logic uses two different mechanisms to
state the same thing.  Why confuse the issue?  Let me restate using
the same phrases in both places.

Detect string A.  Detect string B within X bytes of string A.  Detect
string C within Y bytes of string B.

Yes, snort can do this.  Every "within" statement tells snort to look
for this content within this many bytes from the end of the previous
content.

    content:"foo"; content:"bar"; within:4; content:"blah"; within:5;

snort keeps a single "where did I end" pointer.  In the src, its
called doe_ptr.  At one point in time, I used to know what doe is an
annocronymn for, but its long since escaped my memory.  Every content,
byte_test, byte_jump, and pcre sets this pointer after a positive
match allowing later content options to base themselves relative to
the that pointer.

> How would I do something like the above, without resorting to
> patching/recompiling snort and writing the rule using pcre?

Just do it.  Its done all over the place in the ruleset.  For some
really complicated uses of distance/within/byte_test/byte_jump, check
out a recent version of rpc.rules.

BTW, if you want pcre, I suggest downloading snort-current.  PCRE is a
required library for 2.1 forwards.  no patching needed.

-brian




More information about the Snort-sigs mailing list