[Snort-sigs] byte_test and buffer cursor
snort at ...3751...
Thu Feb 9 17:00:38 EST 2017
Thank you Alex.
I did go through the manual and I guess I must have missed it, at least in the byte_test section.
Using the value I am expecting in the second byte_test did not yield a match:
content:"Content-Length|3A 20|"; http_raw_header; byte_test:3,>,160,0,relative; byte_test:3,=,165,0,relative;
Keeping only the first byte_test yields a match:
content:"Content-Length|3A 20|"; http_raw_header; byte_test:3,>,160,0,relative;
Using a single byte_test with the value I am expecting does not yield a match:
content:"Content-Length|3A 20|"; http_raw_header; byte_test:3,=,165,0,relative;
tshark -nn -r capture.pcap -Y 'http.request.method == POST' -T fields -e http.content_length | sort | uniq
Just to verify my understanding, the first content match should set the cursor to the next byte right after the matched content, correct? I guess this is not the best to do it since the Content-Length is a lot more variable than I thought + historical data. Back to the drawing board.
Thanks again Alex.
From: Alex McDonnell <amcdonnell at ...435...>
Sent: Friday, February 10, 2017 12:34:23 AM
To: Y M
Subject: Re: [Snort-sigs] byte_test and buffer cursor
I'm pretty sure that's in the Snort Manual, byte_test does not move the cursor, byte_extract does. You could also test for the value you expect in your second test to verify ;)
On Thu, Feb 9, 2017 at 4:30 PM, Y M <snort at ...3751...<mailto:snort at ...3833.....>> wrote:
Does a byte_test move the cursor into a buffer the number of bytes it tests? Does is depend on the buffer against which the byte_test is operating?
In essence, I am trying to use byte_test to validate that the decimal value of X number of bytes fall within a decimal range. Something similar to:
http_raw_header; byte_test:3,>,160,0,relative; byte_test:3,<,170,0,relative;
If the first byte_test above moves the cursor 3 bytes into the buffer, how can I reset the cursor back to the beginning of the buffer of the last/relative content match (http_raw_header)? Or am I just doing it all wrong?
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
Please visit http://blog.snort.org for the latest news about Snort!
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs