[Snort-sigs] Question about content

Paul Schmehl pschmehl_lists at ...3425...
Tue Dec 1 11:53:46 EST 2009


Speaking of rocks and glass houses, you really should read before responding to 
someone.

The OP asked "I want to detect the last word in the content
for exemple if I have this bytes: ....1245643577AAAA
how can I verify that it contains "AAAA" at the end without knowing the total 
size of bytes"

Your rule assumes the content is 4 bytes in.  It also assumes that the content 
will come in a GET request using the protocol http, none of which the OP 
specified.

Now, tell us how you could detect the last_four_bytes in *any* packet.  Maybe 
then you'll get an A for more than effort and help the OP with his homework in 
the process.  As it is, you've earned him a failing grade for not reading the 
assignment correctly.

I'll give you a hint.  Since the question doesn't specify protocol *or* 
directionality, you would start with:

alert ip any any -> any any.

The rest is left as an exercise for the reader.  If you can answer the question 
"how can I know how many bytes there are in a packet", you're halfway there.

--On Tuesday, December 01, 2009 08:47:57 -0600 evilghost at ...3397... wrote:

>
> ...1245643577AAAA
>>> how can I verify that it contains "AAAA"
>
> Making assumptions about direction, protocol, and content I would try
> something like this:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AAAA detected";
> flow:established,to_server; content:"GET "; depth:4; content:"AAAA";
> pcre:"/\d+AAAA$/"; classtype:suspicious-activity; sid:20091201; rev:1;)
>
> As it stands the signature is costly but you would need to supply additional
> criteria for us to narrow it down.  For example, are you looking in the
> uribuffer or http_headers?  Content body?  What layer 7 protocol?  Any other
> identifying factors that could add to the precision?
>
> Note - SourceFire shouldn't be allowed to interface with the public,
> especially if the responses are accusatory in nature.  Some of the quality in
> VRT signatures I've seen make me laugh when they respond like they do here.
> It's always funny to watch the baboons throwing rocks from their glass houses.
>
>
> Matt Olney wrote:
>> Yep...but I'm feeling uber generous this morning, so I'll give you a tip:
>>
>> PCRE$
>>
>> On Tue, Dec 1, 2009 at 8:33 AM, Nigel Houghton <nhoughton at ...435...>
>> wrote:
>>
>>> On Tue, Dec 1, 2009 at 4:11 AM, sofia insat <sofia.insat at ...174...> wrote:
>>>
>>>> Hi,
>>>>
>>>> I want to detect the last word in the content
>>>> for exemple if I have this bytes: ....1245643577AAAA
>>>> how can I verify that it contains "AAAA" at the end without knowing the
>>>> total size of bytes
>>>>
>>>>
>>>>
>>>> --------------------------------------------------------------------------
>>>> ---- Join us December 9, 2009 for the Red Hat Virtual Experience,
>>>> a free event focused on virtualization and cloud computing.
>>>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>>>> http://p.sf.net/sfu/redhat-sfdev2dev
>>>> _______________________________________________
>>>> Snort-sigs mailing list
>>>> Snort-sigs at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>
>>>>
>>> Again, this looks like a homework assignment. This list is not the
>>> place for homework questions.
>>>
>>> The answers you seek can be found in the Snort manual and the
>>> associated README files in the Snort tarball. You need to do some work
>>> and read the documentation.
>>>
>>> --
>>> Nigel Houghton
>>> Head Mentalist
>>> SF VRT
>>> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
>>>
>>> ---------------------------------------------------------------------------
>>> --- Join us December 9, 2009 for the Red Hat Virtual Experience,
>>> a free event focused on virtualization and cloud computing.
>>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>>> http://p.sf.net/sfu/redhat-sfdev2dev
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>>
>>
>> ----------------------------------------------------------------------------
>> -- Join us December 9, 2009 for the Red Hat Virtual Experience,
>> a free event focused on virtualization and cloud computing.
>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>> http://p.sf.net/sfu/redhat-sfdev2dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs



-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson





More information about the Snort-sigs mailing list