No subject


Thu Nov 23 16:34:03 EST 2017


t me know?

Joel

On Dec 16, 2010, at 5:55 PM, evejou wrote:

>=20
>=20
> > I was trying to write a signature for Snort v2.6.1.5. I have a question=
 about using the distance/within tags after a byte_test, if that's even pro=
per use for it.
>=20
> Oops. I meant, byte_jump.
>=20
>=20
>=20
> On Thu, Dec 16, 2010 at 5:54 PM, evejou <girl at ...3471...> wrote:
> Hi,
>=20
> I was trying to write a signature for Snort v2.6.1.5. I have a question a=
bout using the distance/within tags after a byte_test, if that's even prope=
r use for it.
>=20
> Say there's a packet that looks kind of like this:
>=20
> MM MM OO OO OO [....] TT XX XX AA AA ...
>=20
> (MM -- magic number)
> (OO -- offset value that points to the TTs; this offset counts from the b=
eginning of the file)
> (XX XX -- 2 bytes that I don't care about)
>=20
> I was trying to figure out where the pointer would be after a byte_jump, =
so I tried to write the following to see if it would trigger:
>       content:"|MM MM|"; byte_jump:3,0,relative,from_beginning,post_offse=
t 2; content:"|AA AA|"; distance:0; within:2;
> I noticed that this didn't trigger, but that it did when I removed the "w=
ithin:2" part.
>=20
>=20
> And then I tried the following:
>       content:"|MM MM|"; byte_jump:3,0,relative,from_beginning,post_offse=
t 2; content:"|OO OO OO|"; distance:0; within:3;
> and this triggered as well.
>=20
> My first question is whether this is expected behavior (or am I doing som=
ething wrong?), and adjunctly to that, how I could get a hit on that second=
 content tag (the |AA AA| part)...
>=20
>=20
> Thanks,
> Alice
>=20
> --=20
> ---
> girl at ...3471...
>=20
> Finch=E9 c'=E8 vita, c'=E8 speranza.
> As long as there is life, there is hope.=20
>=20
>=20
>=20
> --=20
> ---
> girl at ...3471...
>=20
> Finch=E9 c'=E8 vita, c'=E8 speranza.
> As long as there is life, there is hope.=20
> -------------------------------------------------------------------------=
-----
> Lotusphere 2011
> Register now for Lotusphere 2011 and learn how
> to connect the dots, take your collaborative environment
> to the next level, and enter the era of Social Business.
> http://p.sf.net/sfu/lotusphere-d2d_______________________________________=
________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs


--Apple-Mail-68-706421671
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html><head></head><body style=3D"word-wrap: break-word; -webkit-nbsp-mode:=
 space; -webkit-line-break: after-white-space; ">Two things that I see righ=
t away that you might want to try and make your life easier.<div><br></div>=
<div>from_beginning's function is to start it's packet jumping at the begin=
ning of the packet, as opposed to where your pointer is, and I am not sure =
that's what you are trying to do from reading your email.</div><div><br></d=
iv><div>Also, post_offset can confuse the novice, so you might want go make=
 it simpler for you.</div><div><br></div><div>content:"|MM MM|"; byte_jump:=
3,0,relative; content:"|AA AA|"; distance:2; within:2;</div><div><br></div>=
<div><br></div><div>From reading your email, that might be what you are try=
ing to do, please let me know?</div><div><br></div><div>Joel</div><div><br>=
<div><div>On Dec 16, 2010, at 5:55 PM, evejou wrote:</div><br class=3D"Appl=
e-interchange-newline"><blockquote type=3D"cite"><div><div><br class=3D"App=
le-interchange-newline"><br></div><div>> I was trying to write a signatu=
re for Snort v2.6.1.5. I have a question about using the distance/within ta=
gs after a byte_test, if that's even proper use for it.</div>
<div><br></div></div><div>Oops. I meant, byte_jump.</div><div><br></div><di=
v><br></div><br><div class=3D"gmail_quote">On Thu, Dec 16, 2010 at 5:54 PM,=
 evejou <span dir=3D"ltr"><<a href=3D"mailto:girl at ...3471...">girl at ...3517...=
71...</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex;">Hi,<div><br></div><div>I was trying to writ=
e a signature for Snort v2.6.1.5. I have a question about using the distanc=
e/within tags after a byte_test, if that's even proper use for it.</div>
<div><br></div><div>Say there's a packet that looks kind of like this:</div>
<div><br></div><div>MM MM OO OO OO [....] TT XX XX AA AA ...</div><div><br>=
</div><div>(MM -- magic number)</div><div>(OO -- offset value that points t=
o the TTs; this offset counts from the beginning of the file)</div><div>

(XX XX -- 2 bytes that I don't care about)</div><div><br></div><div>I was t=
rying to figure out where the pointer would be after a byte_jump, so I trie=
d to write the following to see if it would trigger:</div><div>  =
    <i>content:"|MM MM|"; byte_jump:3,0,relative,from_beginning,p=
ost_offset 2; content:"|AA AA|"; distance:0; within:2;</i></div>

<div>I noticed that this didn't trigger, but that it did when I removed the=
 "within:2" part.</div><div><br></div><div><br></div><div>And then I tried =
the following:</div><div>      <i>content:"|MM MM|"; by=
te_jump:3,0,relative,from_beginning,post_offset 2; content:"|OO OO OO|"; di=
stance:0; within:3;</i></div>

<div>and this triggered as well.</div><div><br></div><div>My first question=
 is whether this is expected behavior (or am I doing something wrong?), and=
 adjunctly to that, how I could get a hit on that second content tag (the |=
AA AA| part)...</div>

<div><br></div><div><br></div><div>Thanks,</div><div>Alice<br clear=3D"all"=
><br>-- <br>---<br><a href=3D"mailto:girl at ...3471..." target=3D"_blank">gir=
l at ...3471...</a><br><br>Finch=E9 c'=E8 vita, c'=E8 speranza.<br>As long as =
there is life, there is hope. <br>


</div>
</blockquote></div><br><br clear=3D"all"><br>-- <br>---<br><a href=3D"mailt=
o:girl at ...3471...">girl at ...3471...</a><br><br>Finch=E9 c'=E8 vita, c'=E8 sp=
eranza.<br>As long as there is life, there is hope. <br>
---------------------------------------------------------------------------=
---<br>Lotusphere 2011<br>Register now for Lotusphere 2011 and learn how<br=
>to connect the dots, take your collaborative environment<br>to the next le=
vel, and enter the era of Social Business.<br><a href=3D"http://p.sf.net/sf=
u/lotusphere-d2d_______________________________________________">http://p.s=
f.net/sfu/lotusphere-d2d_______________________________________________</a>=
<br>Snort-sigs mailing list<br>Snort-sigs at lists.sourceforge.net<br>https://=
lists.sourceforge.net/lists/listinfo/snort-sigs<br></blockquote></div><br><=
/div></body></html>=

--Apple-Mail-68-706421671--




More information about the Snort-sigs mailing list