[Snort-sigs] Rules to get the first 3 bytes from a UDP packet fail

Joseph Gama josephgama at ...144...
Thu Jul 8 16:22:14 EDT 2004


Hello,

I wanted to get an alert when the first 3 bytes of
data in a UDP packet match 0x0A3A31. I get the right
packet with ethereal but my rules never fire.
Here are the rules:

alert udp $EXTERNAL_NET any -> $HOME_NET 1434
(msg:"MS-SQL heap overflow attempt (0A3A31)";
byte_test: 3, =, 0x0A3A31, 0, string, hex; reference:
url,http.www.nextgenss.com/papers/tp-SQL2000.pdf;
classtype:attempted-user; sid:????; rev:0;) 

alert udp $EXTERNAL_NET any -> $HOME_NET 1434
(msg:"MS-SQL heap overflow attempt (0A3A31)";
byte_test: 6, =, 0x0A3A31, 0, string, hex; reference:
url,http.www.nextgenss.com/papers/tp-SQL2000.pdf;
classtype:attempted-user; sid:????; rev:0;) 

alert udp $EXTERNAL_NET any -> $HOME_NET 1434
(msg:"MS-SQL heap overflow attempt (0A3A31) 2";
content:"|0A 3A 31|"; depth:3; reference:
url,http.www.nextgenss.com/papers/tp-SQL2000.pdf;
classtype:attempted-dos; sid:????; rev:0;) 

alert udp $EXTERNAL_NET any -> $HOME_NET 1434
(msg:"MS-SQL heap overflow attempt (0A3A31) 3";
content:"|0A 3A 31|"; reference:
url,http.www.nextgenss.com/papers/tp-SQL2000.pdf;
classtype:attempted-dos; sid:????; rev:0;) 

The last one doesn't even care about the depth.

This is the captured packet:

Internet Protocol, 
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00:
Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint:
Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 31
    Identification: 0x0173 (371)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: UDP (0x11)
    Header checksum: 0x2317 (correct)
    Source: ---------
    Destination: --------------
User Datagram Protocol, Src Port: 1043 (1043), Dst
Port: ms-sql-m (1434)
    Source port: 1043 (1043)
    Destination port: ms-sql-m (1434)
    Length: 9
    Checksum: 0xd5ea (correct)
Data (3 bytes)

0000  0a 3a 31                                        
 .:1

As you can see the packet makes it there and it has
the right data.


Help would be very appreciated.

Thank you!

Peace,

Joseph Gama



	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 




More information about the Snort-sigs mailing list