[Snort-sigs] Issue with byte_test and bitmask

Al Lewis (allewi) allewi at cisco.com
Thu Sep 28 08:09:37 EDT 2017


I think you are missing the last part. From the manual for bitmask:

"Applies the AND operator on the bytes converted. The result will be right-shifted by the number of bits equal to the number of trailing zeros in the mask.”


So in your case the result will be shifted right 3 zeros resulting in the number 7 which is what you should be matching on.

Attached is a test.

In packets 1 and 3 the values are 0x38 and 0x3a. Doing the AND results in a match for both.

In packets 2 and 4 the values are 0x49 and 0x37. Doing the AND results in a non match for both.

[alewis at cliffjumper snort-]$ ./bin/snort -c etc/torres.conf -r /tmp/TRASH.pcap -Aconsole:test -q -k none
1 1 1 0
3 1 1 0
[alewis at cliffjumper snort-]$ cat etc/torres.conf | grep alert
alert udp any any -> any 53 (msg:"TEST for 0x38"; byte_test:1,=,0x07,0,bitmask 0xF8; sid:1; )

Try this out and let us know how it goes.


Albert Lewis
SOURCEfire, Inc. now part of Cisco
Email: allewi at cisco.com<mailto:allewi at cisco.com>

From: Snort-sigs <snort-sigs-bounces at lists.snort.org<mailto:snort-sigs-bounces at lists.snort.org>> on behalf of Damian Torres via Snort-sigs <snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>>
Reply-To: Damian Torres <datorr2 at gmail.com<mailto:datorr2 at gmail.com>>
Date: Wednesday, September 27, 2017 at 6:04 PM
To: Snort-Sigs <snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>>
Subject: [Snort-sigs] Issue with byte_test and bitmask


I've been working on some rules that involve byte_test and although I've been able to flesh some of them out, I'm banging my head against the wall with one in particular.  Here is what I'm currently working on:

alert udp any any -> any 53 (msg:"OpenVPN_P_CONTROL_HARD_RESET_CLIENT_V2"; byte_test:1,=,0x38,0,bitmask 0xF8; classtype:not-suspicious; sid:1; rev:1;)

The byte that I am trying to test against is the very first byte in the beginning of the payload (right after the UDP header), byte 0.  Much like DNS, this byte contains multiple values.  In this case, this contains two values for the protocol.  The first five bits corresponds to an opcode, and the last three bits corresponds to a key value.  So with 0x38, we have:

0011 1000

The first five bits have to be:

0011 1XXX - opcode of 7

I am trying to write the signature to fire regardless of what the last 3 bits are (any key) as long as the opcode is 7.  To do this, I tried:

byte_test:1,=,0x38,0;  -- This works if the opcode is 7 and the key is 0.
byte_test:1,=,0x38,0,bitmask 0xF8 -- This doesn't work at all.
byte_test:1,!&,0xc7,0; -- This fires on multiple opcodes.

My understand is that with the "bitmask 0xF8" option, it should do a bitwise AND operation using 0xF8 before evaluating the equality portion of the byte_test, which should drop off the last 3 bits and keep the first 5 bits exactly and then making sure they equal 0x38, but for some reason, it doesn't work

I am testing this using Snort v2.9.9.0 GRE (Build 56) compiled from source.

Any assistance would be greatly appreciated.

Warm Regards,

Damian Torres

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170928/4c58134a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: torres.conf
Type: application/octet-stream
Size: 409 bytes
Desc: torres.conf
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170928/4c58134a/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: torres.pcap
Type: application/octet-stream
Size: 328 bytes
Desc: torres.pcap
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170928/4c58134a/attachment-0001.obj>

More information about the Snort-sigs mailing list