[Snort-sigs] question about isdataat

Joel Esler eslerj at ...2420...
Mon Jul 6 08:41:54 EDT 2009


2009/7/5 김무성 <kimms at ...3282...>

>  this is description about isdataat option in snort manual.
>
>
>
>
>
> isdataat
>
> Verify that the payload has data at a specified location, optionally
> looking for data relative to the end of
>
> the previous content match.
>
>
>
> Format
>
> isdataat:<int>[,relative];
>
> Example
>
> alert tcp any any -> any 111 (content:"PASS"; isdataat:50,relative;
> content:!"|0a|"; distance:0;)
>
> This rule looks for the string PASS exists in the packet, then verifies
> there is at least 50 bytes after the end
>
> of the string PASS, then verifies that there is not a newline character
> within 50 bytes of the end of the PASS
>
> string.
>


This is just an example.


>
>
>
>
>
>
>
>
>
>
> so i tested.
>
>
>
> my test rule is this
>
>
>
> alert tcp any any -> any any (content:"kmsjlove"; nocase; depth:8;
> isdataat:50, relative; content:"|0a|"; distance:0;)
>

Look for "kmsjlove" no more than 8 bytes from the beginning of the packet,
then skip ahead 50 bytes, relative to the end of the previous content match,
which is "kmsjlove" and see if data is there.  Then, do a content match for
the hex string 0a, at a distance of 0 relative to the end of the previous
content match, which is "kmsjlove".


Does that help?

Isdataat is a "Read ahead" to see if data exists at some point (in
your case, 50, relative) in the packet.  Doesn't matter
what the data is, just as long as data exists.  Isdataat does not set
pointers.



-- 
joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20090706/235f24e1/attachment.html>


More information about the Snort-sigs mailing list