[Snort-sigs] Rules to get the first 3 bytes from a UDP packet fail

Matthew Watchinski mwatchinski at ...435...
Fri Jul 9 08:20:00 EDT 2004


No need to byte test here.   A simple bounded content match will work 
just fine.

alert udp $EXTERNAL_NET any -> $HOME_NET 1434
(msg:"MS-SQL heap overflow attempt (0A3A31)";
flow:to_server,established;
content:"|0A 3A 31|"; offset:0; depth:3; 
reference:url,http.www.nextgenss.com/papers/tp-SQL2000.pdf;
classtype:attempted-user; sid:????; rev:0;) 

cheers,
-matt

Joseph Gama wrote:

>Hello,
>
>I wanted to get an alert when the first 3 bytes of
>data in a UDP packet match 0x0A3A31. I get the right
>packet with ethereal but my rules never fire.
>Here are the rules:
>
>alert udp $EXTERNAL_NET any -> $HOME_NET 1434
>(msg:"MS-SQL heap overflow attempt (0A3A31)";
>byte_test: 3, =, 0x0A3A31, 0, string, hex; reference:
>url,http.www.nextgenss.com/papers/tp-SQL2000.pdf;
>classtype:attempted-user; sid:????; rev:0;) 
>
>alert udp $EXTERNAL_NET any -> $HOME_NET 1434
>(msg:"MS-SQL heap overflow attempt (0A3A31)";
>byte_test: 6, =, 0x0A3A31, 0, string, hex; reference:
>url,http.www.nextgenss.com/papers/tp-SQL2000.pdf;
>classtype:attempted-user; sid:????; rev:0;) 
>
>alert udp $EXTERNAL_NET any -> $HOME_NET 1434
>(msg:"MS-SQL heap overflow attempt (0A3A31) 2";
>content:"|0A 3A 31|"; depth:3; reference:
>url,http.www.nextgenss.com/papers/tp-SQL2000.pdf;
>classtype:attempted-dos; sid:????; rev:0;) 
>
>alert udp $EXTERNAL_NET any -> $HOME_NET 1434
>(msg:"MS-SQL heap overflow attempt (0A3A31) 3";
>content:"|0A 3A 31|"; reference:
>url,http.www.nextgenss.com/papers/tp-SQL2000.pdf;
>classtype:attempted-dos; sid:????; rev:0;) 
>
>The last one doesn't even care about the depth.
>
>This is the captured packet:
>
>Internet Protocol, 
>    Version: 4
>    Header length: 20 bytes
>    Differentiated Services Field: 0x00 (DSCP 0x00:
>Default; ECN: 0x00)
>        0000 00.. = Differentiated Services Codepoint:
>Default (0x00)
>        .... ..0. = ECN-Capable Transport (ECT): 0
>        .... ...0 = ECN-CE: 0
>    Total Length: 31
>    Identification: 0x0173 (371)
>    Flags: 0x00
>        0... = Reserved bit: Not set
>        .0.. = Don't fragment: Not set
>        ..0. = More fragments: Not set
>    Fragment offset: 0
>    Time to live: 128
>    Protocol: UDP (0x11)
>    Header checksum: 0x2317 (correct)
>    Source: ---------
>    Destination: --------------
>User Datagram Protocol, Src Port: 1043 (1043), Dst
>Port: ms-sql-m (1434)
>    Source port: 1043 (1043)
>    Destination port: ms-sql-m (1434)
>    Length: 9
>    Checksum: 0xd5ea (correct)
>Data (3 bytes)
>
>0000  0a 3a 31                                        
> .:1
>
>As you can see the packet makes it there and it has
>the right data.
>
>
>Help would be very appreciated.
>
>Thank you!
>
>Peace,
>
>Joseph Gama
>
>
>
>	
>		
>__________________________________
>Do you Yahoo!?
>New and Improved Yahoo! Mail - 100MB free storage!
>http://promotions.yahoo.com/new_mail 
>
>
>-------------------------------------------------------
>This SF.Net email sponsored by Black Hat Briefings & Training.
>Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
>digital self defense, top technical experts, no vendor pitches, 
>unmatched networking opportunities. Visit www.blackhat.com
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>  
>





More information about the Snort-sigs mailing list