[Snort-sigs] Issue with byte_test and bitmask

Damian Torres datorr2 at gmail.com
Wed Sep 27 18:04:36 EDT 2017


I've been working on some rules that involve byte_test and although I've
been able to flesh some of them out, I'm banging my head against the wall
with one in particular.  Here is what I'm currently working on:

alert udp any any -> any 53 (msg:"OpenVPN_P_CONTROL_HARD_RESET_CLIENT_V2";
byte_test:1,=,0x38,0,bitmask 0xF8; classtype:not-suspicious; sid:1; rev:1;)

The byte that I am trying to test against is the very first byte in the
beginning of the payload (right after the UDP header), byte 0.  Much like
DNS, this byte contains multiple values.  In this case, this contains two
values for the protocol.  The first five bits corresponds to an opcode, and
the last three bits corresponds to a key value.  So with 0x38, we have:

0011 1000

The first five bits have to be:

0011 1XXX - opcode of 7

I am trying to write the signature to fire regardless of what the last 3
bits are (any key) as long as the opcode is 7.  To do this, I tried:

byte_test:1,=,0x38,0;  -- This works if the opcode is 7 and the key is 0.
byte_test:1,=,0x38,0,bitmask 0xF8 -- This doesn't work at all.
byte_test:1,!&,0xc7,0; -- This fires on multiple opcodes.

My understand is that with the "bitmask 0xF8" option, it should do a
bitwise AND operation using 0xF8 before evaluating the equality portion of
the byte_test, which should drop off the last 3 bits and keep the first 5
bits exactly and then making sure they equal 0x38, but for some reason, it
doesn't work

I am testing this using Snort v2.9.9.0 GRE (Build 56) compiled from source.

Any assistance would be greatly appreciated.

Warm Regards,

Damian Torres
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170927/99cc1116/attachment.html>

More information about the Snort-sigs mailing list