[Snort-sigs] question about isdataat

김무성 kimms at ...3282...
Sun Jul 5 21:10:07 EDT 2009


this is description about isdataat option in snort manual.

 

 

isdataat

Verify that the payload has data at a specified location, optionally looking for data relative to the end of

the previous content match.

 

Format

isdataat:<int>[,relative];

Example

alert tcp any any -> any 111 (content:"PASS"; isdataat:50,relative; content:!"|0a|"; distance:0;)

This rule looks for the string PASS exists in the packet, then verifies there is at least 50 bytes after the end

of the string PASS, then verifies that there is not a newline character within 50 bytes of the end of the PASS

string.

 

 

 

 

 

so i tested.

 

my test rule is this

 

alert tcp any any -> any any (content:"kmsjlove"; nocase; depth:8; isdataat:50, relative; content:"|0a|"; distance:0;)

 

and i send to packet.

 

1. 6b6d736a6c6f7665505050500a

 

this didn't alert.

 

 

2. 6b6d736a6c6f7665505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050500a50505050

 

there is "|0a|" on offset 46 from first "|50|"

this did alert.

 

3. 6b6d736a6c6f76655050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050500a

 

there is "|0a|" on offset 53 from first "|50|"

this did alert.

 

what's wrong?

 

manual tell us that "verifies that there is not a newline character within 50 bytes of the end of the PASS string."

by my test, this manual will have to edited

"verifies that there is not a newline character after the end of the PASS string."

 

right? or not?

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20090706/21772261/attachment.html>


More information about the Snort-sigs mailing list