[Snort-sigs] [AUTO IP] Re: Question about content

evilghost at ...3397... evilghost at ...3397...
Tue Dec 1 12:46:04 EST 2009


Paul, since you failed at reading comprehension, here would be the 
*critical* statement I made *before* I supplied the rule, as an example 
of how PCRE could be used to detect what the OP has requested:

"Making assumptions about direction, protocol, and content I would try 
something like this:"

I do appreciate your gems of wisdom concerning the ip based rule.

Paul Schmehl wrote:
> Speaking of rocks and glass houses, you really should read before responding to 
> someone.
>
> The OP asked "I want to detect the last word in the content
> for exemple if I have this bytes: ....1245643577AAAA
> how can I verify that it contains "AAAA" at the end without knowing the total 
> size of bytes"
>
> Your rule assumes the content is 4 bytes in.  It also assumes that the content 
> will come in a GET request using the protocol http, none of which the OP 
> specified.
>
> Now, tell us how you could detect the last_four_bytes in *any* packet.  Maybe 
> then you'll get an A for more than effort and help the OP with his homework in 
> the process.  As it is, you've earned him a failing grade for not reading the 
> assignment correctly.
>
> I'll give you a hint.  Since the question doesn't specify protocol *or* 
> directionality, you would start with:
>
> alert ip any any -> any any.
>
> The rest is left as an exercise for the reader.  If you can answer the question 
> "how can I know how many bytes there are in a packet", you're halfway there.
>
> --On Tuesday, December 01, 2009 08:47:57 -0600 evilghost at ...3397... wrote:
>
>   
>> ...1245643577AAAA
>>     
>>>> how can I verify that it contains "AAAA"
>>>>         
>> Making assumptions about direction, protocol, and content I would try
>> something like this:
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AAAA detected";
>> flow:established,to_server; content:"GET "; depth:4; content:"AAAA";
>> pcre:"/\d+AAAA$/"; classtype:suspicious-activity; sid:20091201; rev:1;)
>>
>> As it stands the signature is costly but you would need to supply additional
>> criteria for us to narrow it down.  For example, are you looking in the
>> uribuffer or http_headers?  Content body?  What layer 7 protocol?  Any other
>> identifying factors that could add to the precision?
>>
>> Note - SourceFire shouldn't be allowed to interface with the public,
>> especially if the responses are accusatory in nature.  Some of the quality in
>> VRT signatures I've seen make me laugh when they respond like they do here.
>> It's always funny to watch the baboons throwing rocks from their glass houses.
>>
>>
>> Matt Olney wrote:
>>     
>>> Yep...but I'm feeling uber generous this morning, so I'll give you a tip:
>>>
>>> PCRE$
>>>
>>> On Tue, Dec 1, 2009 at 8:33 AM, Nigel Houghton <nhoughton at ...435...>
>>> wrote:
>>>
>>>       
>>>> On Tue, Dec 1, 2009 at 4:11 AM, sofia insat <sofia.insat at ...174...> wrote:
>>>>
>>>>         
>>>>> Hi,
>>>>>
>>>>> I want to detect the last word in the content
>>>>> for exemple if I have this bytes: ....1245643577AAAA
>>>>> how can I verify that it contains "AAAA" at the end without knowing the
>>>>> total size of bytes
>>>>>
>>>>>
>>>>>
>>>>> --------------------------------------------------------------------------
>>>>> ---- Join us December 9, 2009 for the Red Hat Virtual Experience,
>>>>> a free event focused on virtualization and cloud computing.
>>>>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>>>>> http://p.sf.net/sfu/redhat-sfdev2dev
>>>>> _______________________________________________
>>>>> Snort-sigs mailing list
>>>>> Snort-sigs at lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>>
>>>>>
>>>>>           
>>>> Again, this looks like a homework assignment. This list is not the
>>>> place for homework questions.
>>>>
>>>> The answers you seek can be found in the Snort manual and the
>>>> associated README files in the Snort tarball. You need to do some work
>>>> and read the documentation.
>>>>
>>>> --
>>>> Nigel Houghton
>>>> Head Mentalist
>>>> SF VRT
>>>> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
>>>>
>>>> ---------------------------------------------------------------------------
>>>> --- Join us December 9, 2009 for the Red Hat Virtual Experience,
>>>> a free event focused on virtualization and cloud computing.
>>>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>>>> http://p.sf.net/sfu/redhat-sfdev2dev
>>>> _______________________________________________
>>>> Snort-sigs mailing list
>>>> Snort-sigs at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>
>>>>
>>>>         
>>> ----------------------------------------------------------------------------
>>> -- Join us December 9, 2009 for the Red Hat Virtual Experience,
>>> a free event focused on virtualization and cloud computing.
>>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>>> http://p.sf.net/sfu/redhat-sfdev2dev
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>>
>>>       
>> ------------------------------------------------------------------------------
>> Join us December 9, 2009 for the Red Hat Virtual Experience,
>> a free event focused on virtualization and cloud computing.
>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>> http://p.sf.net/sfu/redhat-sfdev2dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>     
>
>
>
>   




More information about the Snort-sigs mailing list