[Snort-sigs] byte_test and buffer cursor

Y M snort at ...3751...
Thu Feb 9 17:00:38 EST 2017

Thank you Alex.

I did go through the manual and I guess I must have missed it, at least in the byte_test section.

Using the value I am expecting in the second byte_test did not yield a match:

content:"Content-Length|3A 20|"; http_raw_header; byte_test:3,>,160,0,relative; byte_test:3,=,165,0,relative;

Keeping only the first byte_test yields a match:

content:"Content-Length|3A 20|"; http_raw_header; byte_test:3,>,160,0,relative;

Using a single byte_test with the value I am expecting does not yield a match:

content:"Content-Length|3A 20|"; http_raw_header; byte_test:3,=,165,0,relative;

tshark -nn -r capture.pcap -Y 'http.request.method == POST' -T fields -e http.content_length | sort | uniq


Just to verify my understanding, the first content match should set the cursor to the next byte right after the matched content, correct? I guess this is not the best to do it since the Content-Length is a lot more variable than I thought + historical data. Back to the drawing board.

Thanks again Alex.


From: Alex McDonnell <amcdonnell at ...435...>
Sent: Friday, February 10, 2017 12:34:23 AM
To: Y M
Cc: snort-sigs
Subject: Re: [Snort-sigs] byte_test and buffer cursor

I'm pretty sure that's in the Snort Manual, byte_test does not move the cursor, byte_extract does. You could also test for the value you expect in your second test to verify ;)

Alex McDonnell

On Thu, Feb 9, 2017 at 4:30 PM, Y M <snort at ...3751...<mailto:snort at ...3833.....>> wrote:

Does a byte_test move the cursor into a buffer the number of bytes it tests? Does is depend on the buffer against which the byte_test is operating?

In essence, I am trying to use byte_test to validate that the decimal value of X number of bytes fall within a decimal range. Something similar to:

http_raw_header; byte_test:3,>,160,0,relative; byte_test:3,<,170,0,relative;

If the first byte_test above moves the cursor 3 bytes into the buffer, how can I reset the cursor back to the beginning of the buffer of the last/relative content match (http_raw_header)? Or am I just doing it all wrong?


Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>


Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170209/3a72afeb/attachment.html>

More information about the Snort-sigs mailing list