[Snort-sigs] Question on function of "within" command

Joel Esler joel.esler at ...435...
Mon Jul 31 22:58:09 EDT 2006

Answers inline

On Mon, Jul 31, 2006 at 05:15:00PM -0400, Al Roethlisberger sent me:
> Although documented at:
> http://www.snort.org/docs/snort_htmanuals/htmanual_233/node21.html#SECTION00457000000000000000
> The "within" command seems a little confusing if used with the
> "distance" command, which I have seen before in
> some custom rules.

The purpose of offset/depth is to use them for the first content match.  distance/within is for content matches that are relative to the previous content match.

You can use multiple offsets and depths in one rule, however you have to remember, that everytime you use the 'offset' keyword, the counter starts a byte 0.  Or the first data byte after the headers.  

So if I wrote a rule like:                      content:"ABC"; offset:0; depth:3; content:"DEF"; offset:3; depth:3;  See how the offset starts back over at the beginning? 
If I wrote the same rule using distance/within: content:"ABC": offset:0; depth:3; content:"DEF"; distance:0; within:3;  Make sense?  (now, there is no point in writing offset:0; for the first content match.)

> So, for example, if one has a rule such as:
> content:"|XYZ|"; depth:3; content:"|1|"; distance:8; depth:1;
> content:"|2|"; distance:4; depth:1;

content:"|XYZ|"; depth:3; content:"|1|"; distance:8; within:1; content:"|2|"; distance:4; within:1;  <-- is the correct re-write of the above.

If you are using distance, you need to use within, not depth.

How this would read is "XYZ" in the first three bytes of the packet, then, move 8 bytes from the end of the Z in "XYZ" and look for "|1|", for one byte, then, after that one byte, move 4 more bytes, and look for a "|2|" for one byte.  

Now, say...  your last within was a "4" instead of a 1, it wouldn't look for just the "|2|" for one byte, the "|2|" could be anywhere 'within' the next four bytes, after moving the distance of 4 relative to the previous content match. 

Hope that helps.

Just remember two words:  Unique, and specific.  Make you rules Unique, so as to avoid false positives, and specific, not only to avoid false positives, but to be fast.  Create the biggest content matches you can.  So instead of looking for "ABC" and "DEF" in two seperate content matches.  If you know ABC and DEF are always going to be sandwitched next to each other like "ABCDEF", then write content:"ABCDEF"; depth:6;  The rule engine will optimize this one better.

Joel Esler          Senior Security Consultant         1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
       Snort - Open Source Network IPS/IDS -- http://www.snort.org
         GPG Key: http://demo.sourcefire.com/jesler.pgp.key
           AIM:eslerjoel  YMSG:eslerjoel  Gtalk:eslerj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20060731/1bd9b9b5/attachment.sig>

More information about the Snort-sigs mailing list