[Snort-sigs] No need for content modifier 'within'

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2420...
Thu Jun 10 11:32:25 EDT 2010


I understand what you are saying but I'm not sure it is congruent with
current reality.  Try this -- run these two rules:

alert tcp any any -> any any (msg:"DEPTH TEST!";
flow:established,to_server; content:"hello"; nocase; content:"world";
distance:4; depth:5; classtype:trojan-activity; sid:20104568; rev:1;)

alert tcp any any -> any any (msg:"WITHIN TEST!";
flow:established,to_server; content:"hello"; nocase; content:"world";
distance:4; within:5; classtype:trojan-activity; sid:20104569; rev:1;)

And then browse to http://www.google.com/hello1234world

Do they both alert?  If so, that would seem to indicate that depth is
relative, no?

I'd also encourage you to test http://www.google.com/hello123world and
http://www.google.com/hello12345world and verify that those don't
cause alerts.

Cheers,

-L0rd Ch0de1m0rt

On 6/10/10, Joel Esler <jesler at ...435...> wrote:
> I apologize I mean depth instead of distance.  My fingers typed the wrong
> word.
>
> You can do a distance:0, but within allows you to tell the search where to
> stop.  Distance is relative to the last match, within is relative to this
> match.
>
> Depth tells Snort how far to read into a packet to search for a pattern
> Offset tells Snort how far to read into a packet to START searching for a
> pattern
> Distance tells Snort how far into a packet Snort should skip relative to the
> end of the previous content match
> Within makes sure that there is "x" amount of bytes between pattern matches.
>
> You can't use a depth with a distance, as depth references the offset, not
> the relative distance from last match (that's what distance is for)
>
> There are reasons for all four, we've had this debate for years.
>
> Plus with distance, you can do negative relativity, you can't do that with
> offset.  Just FYI.
>
>
> 11:04 AM, on Jun 10, 2010, wrote:
>
>> What?  Are you confusing distance and offset?  According to your blog
>> post according to the Snort manual, "The distance keyword allows the
>> rule writer to specify how far into a packet Snort should ignore
>> before starting to search for the specified pattern relative to the
>> end of the previous pattern match."
>>
>> Distance is relative and I'm saying we don't really need the 'within'
>> keyword since we can just do distance:0; and then use depth since
>> depth is relative as well.
>>
>> Hope this helps.
>>
>> -L0rd Ch0de1m0rt
>>
>> On 6/10/10, Joel Esler <jesler at ...435...> wrote:
>>> Distance tells Snort how far to read into a packet to search for a
>>> pattern
>>> Within makes sure that at most "x" amount of bytes are between pattern
>>> matches.
>>>
>>> Within is relative, distance is not.
>>>
>>>
>>> 10:39 AM, on Jun 10, 2010, wrote:
>>>
>>>> Hello.  Not trying to beat a dead horse here but I was reading
>>>> http://blog.joelesler.net/2010/03/offset-depth-distance-and-within.html
>>>> and came to a part where it said, "Offset goes with Depth, distance
>>>> goes with within.  Don’t mix them."  I'm not sure I agree with this
>>>> and I'm not much of an Blogger/Internet Exhibitionist so I'm posting
>>>> this here.
>>>>
>>>> We all know, offset tells Snort how far into the payload (starting
>>>> from the beginning of the payload) to start looking for a content
>>>> match.  Distance tells Snort how far into the payload (starting from
>>>> the previous content match) to start looking for a content match.
>>>> Depth *and* within tell Snort where to stop looking based on where it
>>>> started looking.  So you can have distance and use depth if you want
>>>> and it is perfectly OK to do this.  Do not be afraid.  The only reason
>>>> within exists is so if you have a situation where you don't use
>>>> distance but want to make sure no more than N bytes are between
>>>> content matches.  But within isn't really necessary. In fact, we could
>>>> get rid of within in the case described and just add distance:0; and
>>>> use depth.
>>>>
>>>> Hope this helps clarify a few things about the within content modifier.
>>>>
>>>> Cheers,
>>>>
>>>> -L0rd Ch0de1m0rt
>>>>
>>>> ------------------------------------------------------------------------------
>>>> ThinkGeek and WIRED's GeekDad team up for the Ultimate
>>>> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
>>>> lucky parental unit.  See the prize list and enter to win:
>>>> http://p.sf.net/sfu/thinkgeek-promo
>>>> _______________________________________________
>>>> Snort-sigs mailing list
>>>> Snort-sigs at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>> --
>>> Joel Esler
>>>
>>>
>>>
>
> --
> Joel Esler
>
>
>




More information about the Snort-sigs mailing list