[Snort-sigs] How to filter by only the first 3 bytes of data?

Joseph Gama josephgama at ...144...
Tue Jul 6 19:26:04 EDT 2004


Hello!
I am a newbie, so be gentle, ok? :)

I am trying to create a rule that will look for the
first 3 bytes of data in a UDP packet to se if they
match 0x083A1.

First I tried depth:

alert udp $EXTERNAL_NET any -> $HOME_NET 1434
(msg:"MS-SQL heap overflow attempt (083A31)";
content:"|08 3A 31|"; depth:3; reference:
url,http.www.nextgenss.com/papers/tp-SQL2000.pdf;
classtype:attempted-user; sid:????; rev:0;) 

Then I tried byte_test:

alert udp $EXTERNAL_NET any -> $HOME_NET 1434
(msg:"MS-SQL heap overflow attempt (083A31)";
byte_test: 6, =, 0x083A31, 0, string, hex; reference:
url,http.www.nextgenss.com/papers/tp-SQL2000.pdf;
classtype:attempted-user; sid:????; rev:0;) 

I receive the right packets with ethereal but this
rule never fires. Please help me out on this one.

Thank you very much!

Joseph Gama



		
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail 




More information about the Snort-sigs mailing list