[Snort-sigs] Quick question about byte_test

Nathan Benson nathan at ...435...
Wed Feb 13 13:29:39 EST 2013

Hi Jeff,

If I understand your question correctly, the relative position of the
cursor will be immediately *after *the bytes you read in using
byte_extract.  Simply, byte_extract *does* move the cursor where byte_test
does not.

I'll give you an example:

$ ruby -e 'print "\x00\x01\x02\x03\x04"' > test.dat

$ file2pcap test.dat test.pcap

$ cat local.rules
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( \
   msg:"TEST byte_test and byte_extract"; \
   flow:to_client,established; \
   file_data; \

   # Reads in bytes 00 01 and leaves cursor right after 01:
   byte_extract:2,0,first_two_bytes; \

   # Now we test to see if the next byte is 0x02 relative, with 0 offset:
   byte_test:1,=,0x2,0,relative; \

   # Test one byte offset from the current byte, which should be 0x03:
   byte_test:1,=,0x3,1,relative; \

   # Make sure the second set of bytes are larger than the first_two_bytes.
   byte_test:2,>,first_two_bytes,0,relative; \

   metadata:service http; \
   classtype:misc-activity; \
   sid:100000; rev:1; \

The alert from Snort:

##### test.pcap #####
[1:100000:1] TEST byte_test and byte_extract (alerts: 1) (reassembled)

To address the second part of your question, you can plainly see that
byte_extract will work fine with no content matches.  However, and this is
a *big however, *the rule that I provided above is a really, really, bad
idea to put into production.  Especially, on something like $HTTP_PORTS.

The problem lies in there is no content match.  So the above rule will
enter on *everything *on $HTTP_PORTS*, *do it's checks and bail (or alert).
 As you can imagine this is terrible for performance.  So, having something
like this on a high traffic network/port is bad juju.

I hope this helps.


On Tue, Feb 12, 2013 at 2:49 PM, Jeffrey Stebelton
<jstebelton at ...3769...>wrote:

>  When byte_test follows byte_extract, does a relative offset start after
> the number of bytes put into the variable in byte_extract or a previous
> content match before the byte_extract? And if it’s the latter, then there
> would have to be at least one content match before the byte_extract?****
> ** **
> Jeff ****
> ** **
> *** *** ***
> This message contains information which may be confidential and privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received the message in error,  please advise the sender by reply e-mail and delete the message.
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130213/0d5dedcd/attachment.html>

More information about the Snort-sigs mailing list