[Snort-sigs] Question about rule semantic

stephane grundsch at ...592...
Mon Jul 7 14:46:03 EDT 2003


Hello again!

I played a little bit with a test setup, in order to understand how 
does these "overflow" rules work. (Especially since the new rule 
sid:2183 includes the famous byte_test, thanks Brian!).

Anyhow, here's what I found when playing with the following dummy rule 
(whose purpose it to be triggered after the "bla" keyword followed by 
at least 10 bytes without a 0x0a):
alert tcp any any -> any 8000 (msg:"overflow attempt"; 
flow:to_server,established;
content:"bla"; byte_test:1,<,256,10,relative; content:!"|0a|"; 
within:10; sid:9999;
  rev:1;)

It works quite well, as long as the keyword and the following non-0x0a 
bytes are in the same packet. If they are in numerous packets, the rule 
will not trigger. (see attached file. it's a packet capture of such a 
session. The alert is listed at the end, and if you look at the 
timestamp, it matches the packet where all data was within one packet)
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: capture_all_reassembly.txt
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030707/0c25bba5/attachment.txt>
-------------- next part --------------


I tested also the original construct, without the "byte_test", i.e.:
alert tcp any any -> any 8000 (msg:"overflow attempt"; 
flow:to_server,established;
content:"bla"; content:!"|0a|"; within:10; sid:9999;
  rev:1;)

This one triggers as soon as the keyword appears and there are no 0x0a 
within the given distance inside the _same_ packet. That is, if you 
send "bla12345" without 0x0a, it will still trigger...

So basically, we end up with two choices: either a rule which triggers 
too often (each time the keyword appear near the end of a packet, 
that's the rule without byte_test), or a rule which will miss all 
attacks on numerous packets (the one with the byte_test). I would 
prefer the second, but for a buffer overflow detection, that's quite 
funny...

Or did I missconfigured the stream reassembly preprocessor? (but I used 
the "ports all" option to stream4_reassemble)

Finally, and for those following this thread since the beginning, the 
semantic of "content:!|0a|" is actually "not (content is 0x0a)" and not 
as I thought first "content is not(0x0a)"...
(reread it five times and you will know what I mean :-)

Steph

On Lundi, juin 23, 2003, at 17:04 Europe/Zurich, Brian wrote:

> On Tue, Jun 17, 2003 at 11:11:30PM +0200, stephane wrote:
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow
>> attempt"; flow:to_server,established; content:"CWD "; nocase;
>> content:!"|0a|"; within:100; reference:cve,CAN-2000-1035;
>> reference:cve,CAN-2000-1194; reference:cve,CAN-2002-0126;
>> classtype:attempted-admin; sid:1919; rev:3;)
>>
>> It's purpose is to catch potential buffer overflows. I think the 
>> author
>> thought this rule will work as follow:
>> - match if there is "CWD " followed by 100 chars without a '0x0a'
>> (linefeed).
>>
>> I think this is wrong, and will actually work like that:
>> - match if there is "CWD " followed by anything different than '0x0a'
>> within the next 100 bytes
>
> It would be faster to define it like this:
>
> match if there is a "CWD", followed by at least 100 bytes of data,
> without a 0x0a within 100 bytes of CWD.
>
> While this can be done via an abuse of byte_test, a better approach is
> in the works.
>
> -brian


More information about the Snort-sigs mailing list