[Snort-sigs] Question regarding distances after a byte_jump...

evejou girl at ...3471...
Fri Dec 17 01:20:29 EST 2010


Grr.. I suddenly realized why my signature was all messed up; my fatal
mistake was forgetting that from_beginning meant: "from the VERY BEGINNING,
from the HTTP header in my packet, which I totally forgot was there."
Suddenly all of my results make sense. :P

Thanks Joel... Sorry to bother.

Also, what's the difference (if there is any) between setting "post_offset
2" and using "distance:2"?



On Thu, Dec 16, 2010 at 7:37 PM, Joel Esler <jesler at ...435...> wrote:

> Two things that I see right away that you might want to try and make your
> life easier.
>
> from_beginning's function is to start it's packet jumping at the beginning
> of the packet, as opposed to where your pointer is, and I am not sure that's
> what you are trying to do from reading your email.
>
> Also, post_offset can confuse the novice, so you might want go make it
> simpler for you.
>
> content:"|MM MM|"; byte_jump:3,0,relative; content:"|AA AA|"; distance:2;
> within:2;
>
>
> From reading your email, that might be what you are trying to do, please
> let me know?
>
> Joel
>
> On Dec 16, 2010, at 5:55 PM, evejou wrote:
>
>
>
> > I was trying to write a signature for Snort v2.6.1.5. I have a question
> about using the distance/within tags after a byte_test, if that's even
> proper use for it.
>
> Oops. I meant, byte_jump.
>
>
>
> On Thu, Dec 16, 2010 at 5:54 PM, evejou <girl at ...3471...> wrote:
>
>> Hi,
>>
>> I was trying to write a signature for Snort v2.6.1.5. I have a question
>> about using the distance/within tags after a byte_test, if that's even
>> proper use for it.
>>
>> Say there's a packet that looks kind of like this:
>>
>> MM MM OO OO OO [....] TT XX XX AA AA ...
>>
>> (MM -- magic number)
>> (OO -- offset value that points to the TTs; this offset counts from the
>> beginning of the file)
>> (XX XX -- 2 bytes that I don't care about)
>>
>> I was trying to figure out where the pointer would be after a byte_jump,
>> so I tried to write the following to see if it would trigger:
>>       *content:"|MM MM|";
>> byte_jump:3,0,relative,from_beginning,post_offset 2; content:"|AA AA|";
>> distance:0; within:2;*
>> I noticed that this didn't trigger, but that it did when I removed the
>> "within:2" part.
>>
>>
>> And then I tried the following:
>>       *content:"|MM MM|";
>> byte_jump:3,0,relative,from_beginning,post_offset 2; content:"|OO OO OO|";
>> distance:0; within:3;*
>> and this triggered as well.
>>
>> My first question is whether this is expected behavior (or am I doing
>> something wrong?), and adjunctly to that, how I could get a hit on that
>> second content tag (the |AA AA| part)...
>>
>>
>> Thanks,
>> Alice
>>
>> --
>> ---
>> girl at ...3471...
>>
>> Finché c'è vita, c'è speranza.
>> As long as there is life, there is hope.
>>
>
>
>
> --
> ---
> girl at ...3471...
>
> Finché c'è vita, c'è speranza.
> As long as there is life, there is hope.
>
> ------------------------------------------------------------------------------
> Lotusphere 2011
> Register now for Lotusphere 2011 and learn how
> to connect the dots, take your collaborative environment
> to the next level, and enter the era of Social Business.
>
> http://p.sf.net/sfu/lotusphere-d2d_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>


-- 
---
girl at ...3471...

Finché c'è vita, c'è speranza.
As long as there is life, there is hope.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20101217/a2cd6a50/attachment.html>


More information about the Snort-sigs mailing list