[Snort-sigs] Sig writing help

Alex Cermak alex.cermak at ...4198...
Tue Nov 15 20:57:17 EST 2016


Hi,

I'm rather suck writing a rule which will match the last 4 bytes of the given packet, does anyone know why the rule below would not match the packet below?

I realise this rule is far from accurate at this stage, I'm just attempting to get it to fire.

Rule:
alert tcp any any -> any any (msg:"PoC C&C"; content:"|00 00 00 01|"; sid:10000; rev:1; )

Packet:
11/10-11:36:18.510776 192.168.58.5:39598 -> 192.168.58.4:23
TCP TTL:64 TOS:0x0 ID:43413 IpLen:20 DgmLen:56 DF
***AP*** Seq: 0x470C2095 Ack: 0x47993993 Win: 0xE5 TcpLen: 32
TCP Options (3) => NOP NOP TS: 231687 232203
0x0000: 08 00 27 21 AF 47 08 00 27 CB B6 C0 08 00 45 00 ..'!.G..'.....E.
0x0010: 00 38 A9 95 40 00 40 06 9B D0 C0 A8 3A 05 C0 A8 .8.. at ...180...@.....:...
0x0020: 3A 04 9A AE 00 17 47 0C 20 95 47 99 39 93 80 18 :.....G. .G.9...
0x0030: 00 E5 F5 84 00 00 01 01 08 0A 00 03 89 07 00 03 ................
0x0040: 8B 0B 00 00 00 01 ......


$ snort --version

,,_ -*> Snort! <*-
o" )~ Version 2.9.7.0 GRE (Build 149)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.7.4
Using PCRE version: 8.38 2015-11-23
Using ZLIB version: 1.2.8

Thanks,

Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161115/19510be7/attachment.html>


More information about the Snort-sigs mailing list