[Snort-sigs] [Snort-devel] Length encoded protocol / LDAP and BER

Joel Esler (jesler) jesler at ...3865...
Sat Feb 11 21:58:21 EST 2017

Probably a better topic for the snort-sigs list.

Sent from my iPad

On Feb 11, 2017, at 12:30 PM, FOULDE Damien <damien.foulde at ...4205...<mailto:damien.foulde at ...4205...>> wrote:


Noone interested by this topic ?
That's a pity, this is a quite interesting technical challenge !


De : FOULDE Damien [mailto:damien.foulde at ...4205...]
Envoy? : mercredi 25 janvier 2017 19:38
? : snort-devel at lists.sourceforge.net<mailto:snort-devel at ...1744...net>
Objet : [Snort-devel] Length encoded protocol / LDAP and BER


I'm faced to an issue to dissect a length encoded protocol, LDAP in my case which uses BER.
I'm blocked because the value extracted through "byte_extract" can only be supplied to the "offset" argument of the "byte_jump" rule keyword and not to the "bytes_to_convert" argument.

Let me take an example, I have the bytes below and I need to check the 0x80 byte :
82 00 05 12 24 56 78 12 80
0x82 = 10000010
The MSB is set to 1, so the value of the 7 other bits is not the length of the data but the number of bytes used to describe the length of the data, in this example, the number of bytes to describe the length of the data is 0000010 = 2
We can get this value through "byte_extract:1,0,var_length,relative,bitmask 0x7f;".
Then we would need to get the "00 05" = 5 value, to jump over the 5 following bytes : "12 24 56 78 12" and finally be able to test the 0x80 content we need to check.
This could be achieved through "byte_jump:var_length,0,relative;" if the "byte_jump" rule keyword would accept an extracted value for the "bytes_to_convert" argument, unfortunately this is not the case.
Did I missed a snort feature which could achieve this ?
Do you know if there is already a feature request for something like this ?

Thank you & regards,

Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org<http://SlashDot.org>! http://sdm.link/slashdot
Snort-devel mailing list
Snort-devel at lists.sourceforge.net<mailto:Snort-devel at lists.sourceforge.net>


Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170212/3adca6ec/attachment.html>

More information about the Snort-sigs mailing list