[Snort-sigs] byte_test and buffer cursor

Y M snort at ...3751...
Thu Feb 9 17:14:07 EST 2017


That was it, Alex. The "string" and "dec" did the trick. I haven't paid enough attention to these options but the last detail you provided was an aha/hmm moment.


Thanks a bunch.

YM

________________________________
From: Alex McDonnell <amcdonnell at ...435...>
Sent: Friday, February 10, 2017 1:07:42 AM
To: Y M
Cc: snort-sigs
Subject: Re: [Snort-sigs] byte_test and buffer cursor

Your test would go better if you specified "string" and "dec" in your byte test so that snort interprets those bytes as 124 and not 0x313234 which is a very different number. Byte test can go up to 10 bytes and with the string option will stop at the first non ascii number byte, like 0x0D.

On Thu, Feb 9, 2017 at 5:00 PM, Y M <snort at ...3751...<mailto:snort at ...3833.....>> wrote:

Thank you Alex.


I did go through the manual and I guess I must have missed it, at least in the byte_test section.


Using the value I am expecting in the second byte_test did not yield a match:


content:"Content-Length|3A 20|"; http_raw_header; byte_test:3,>,160,0,relative; byte_test:3,=,165,0,relative;


Keeping only the first byte_test yields a match:


content:"Content-Length|3A 20|"; http_raw_header; byte_test:3,>,160,0,relative;


Using a single byte_test with the value I am expecting does not yield a match:


content:"Content-Length|3A 20|"; http_raw_header; byte_test:3,=,165,0,relative;


tshark -nn -r capture.pcap -Y 'http.request.method == POST' -T fields -e http.content_length | sort | uniq


124
165
89
93


Just to verify my understanding, the first content match should set the cursor to the next byte right after the matched content, correct? I guess this is not the best to do it since the Content-Length is a lot more variable than I thought + historical data. Back to the drawing board.


Thanks again Alex.

YM

________________________________
From: Alex McDonnell <amcdonnell at ...435...<mailto:amcdonnell at ...435...>>
Sent: Friday, February 10, 2017 12:34:23 AM
To: Y M
Cc: snort-sigs
Subject: Re: [Snort-sigs] byte_test and buffer cursor

I'm pretty sure that's in the Snort Manual, byte_test does not move the cursor, byte_extract does. You could also test for the value you expect in your second test to verify ;)

Alex McDonnell
TALOS

On Thu, Feb 9, 2017 at 4:30 PM, Y M <snort at ...3751...<mailto:snort at ...3833.....>> wrote:

Does a byte_test move the cursor into a buffer the number of bytes it tests? Does is depend on the buffer against which the byte_test is operating?


In essence, I am trying to use byte_test to validate that the decimal value of X number of bytes fall within a decimal range. Something similar to:


http_raw_header; byte_test:3,>,160,0,relative; byte_test:3,<,170,0,relative;


If the first byte_test above moves the cursor 3 bytes into the buffer, how can I reset the cursor back to the beginning of the buffer of the last/relative content match (http_raw_header)? Or am I just doing it all wrong?


YM



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170209/efdf2c89/attachment.html>


More information about the Snort-sigs mailing list