[Snort-sigs] Question regarding distances after a byte_jump...

evejou girl at ...3471...
Thu Dec 16 17:55:22 EST 2010


> I was trying to write a signature for Snort v2.6.1.5. I have a question
about using the distance/within tags after a byte_test, if that's even
proper use for it.

Oops. I meant, byte_jump.



On Thu, Dec 16, 2010 at 5:54 PM, evejou <girl at ...3471...> wrote:

> Hi,
>
> I was trying to write a signature for Snort v2.6.1.5. I have a question
> about using the distance/within tags after a byte_test, if that's even
> proper use for it.
>
> Say there's a packet that looks kind of like this:
>
> MM MM OO OO OO [....] TT XX XX AA AA ...
>
> (MM -- magic number)
> (OO -- offset value that points to the TTs; this offset counts from the
> beginning of the file)
> (XX XX -- 2 bytes that I don't care about)
>
> I was trying to figure out where the pointer would be after a byte_jump, so
> I tried to write the following to see if it would trigger:
>       *content:"|MM MM|";
> byte_jump:3,0,relative,from_beginning,post_offset 2; content:"|AA AA|";
> distance:0; within:2;*
> I noticed that this didn't trigger, but that it did when I removed the
> "within:2" part.
>
>
> And then I tried the following:
>       *content:"|MM MM|";
> byte_jump:3,0,relative,from_beginning,post_offset 2; content:"|OO OO OO|";
> distance:0; within:3;*
> and this triggered as well.
>
> My first question is whether this is expected behavior (or am I doing
> something wrong?), and adjunctly to that, how I could get a hit on that
> second content tag (the |AA AA| part)...
>
>
> Thanks,
> Alice
>
> --
> ---
> girl at ...3471...
>
> Finché c'è vita, c'è speranza.
> As long as there is life, there is hope.
>



-- 
---
girl at ...3471...

Finché c'è vita, c'è speranza.
As long as there is life, there is hope.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20101216/2f524b69/attachment.html>


More information about the Snort-sigs mailing list